MessiandNeymar

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, November 8, 2012

SSL Certificate Validation

Posted on 8:19 AM by Unknown

I quite enjoyed this recent paper: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

We present an in-depth study of SSL connection authentication in non-browser software, focusing on how diverse applications and libraries on Linux, Windows, Android, and iOS validate SSL server certificates. We use both white- and black- box techniques to discover vulnerabilities in validation logic. Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries. When presented with self-signed and third-party certificates—including a certificate issued by a legitimate authority to a domain called AllYourSSLAreBelongTo.us —they establish SSL connections and send their secrets to a man-in-the-middle attacker.

Security is interesting; there are so many different ways to get it wrong!

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Shelter
    I meant to post this as part of my article on Watership Down , but then totally forgot: Shelter In Shelter you experience the wild as a moth...
  • The Legend of 1900: a very short review
    Fifteen years late, we stumbled across The Legend of 1900 . I suspect that 1900 is the sort of movie that many people despise, and a few peo...
  • Rediscovering Watership Down
    As a child, I was a precocious and voracious reader. In my early teens, ravenous and impatient, I raced through Richard Adams's Watershi...
  • Must be a heck of a rainstorm in Donetsk
    During today's Euro 2012 match between Ukraine and France, the game was suspended due to weather conditions, which is a quite rare occur...
  • Beethoven and Jonathan Biss
    I'm really enjoying the latest Coursera class that I'm taking: Exploring Beethoven’s Piano Sonatas . This course takes an inside-out...
  • Starting today, the games count
    In honor of the occasion: The Autumn Wind is a pirate, Blustering in from sea, With a rollocking song, he sweeps along, Swaggering boisterou...
  • Parbuckling
    The enormous project to right and remove the remains of the Costa Concordia is now well underway. There's some nice reporting on the NP...
  • For your weekend reading
    I don't want you to be bored this weekend, so I thought I'd pass along some articles you might find interesting. If not, hopefully y...
  • Are some algorithms simply too hard to implement correctly?
    I recently got around to reading a rather old paper: McKusick and Ganger: Soft Updates: A Technique for Eliminating Most Synchronous Writes ...
  • Don't see me!
    When she was young, and she had done something she was embarrassed by or felt guilty about, my daughter would sometimes hold up her hand to ...

Blog Archive

  • ►  2013 (165)
    • ►  September (14)
    • ►  August (19)
    • ►  July (16)
    • ►  June (17)
    • ►  May (17)
    • ►  April (18)
    • ►  March (24)
    • ►  February (19)
    • ►  January (21)
  • ▼  2012 (335)
    • ►  December (23)
    • ▼  November (30)
      • Atmospheric Rivers
      • Two Years for Randall Munroe
      • WDW vs DL
      • On being a developer
      • The fourth bore
      • Tis the season...
      • Zlatan's goal
      • Thanksgiving edition of stuff I'm reading
      • The OAK watch incident
      • HP Autonomy
      • The bubble is back!
      • Stuff I'm reading about
      • Perforce Thanksgiving Potluck
      • Gates Foundation gets involved in MOOCs
      • Yes, it's true, I just can't get enough...
      • Data security in the cloud
      • The fastest boat in the world?!
      • AWS 10/22 outage
      • The old guy can still bring it
      • Vibe Managers
      • Election 2012
      • It's not just a game ...
      • Consider the source
      • Don't see me!
      • SSL Certificate Validation
      • Am I slowly learning something?
      • Future Perfect: a very short review
      • Pulpit Rock
      • Another quick collection of Sandy links
      • Techy Sandy Stories
    • ►  October (33)
    • ►  September (34)
    • ►  August (29)
    • ►  July (39)
    • ►  June (27)
    • ►  May (48)
    • ►  April (32)
    • ►  March (30)
    • ►  February (10)
Powered by Blogger.

About Me

Unknown
View my complete profile