a changing network security landscape is difficult for even the biggest tech companies to wrestle with
coderman
coderman at gmail.com
Tue Sep 11 01:16:37 UTC 2007
five weeks after presenting the dangers at BlackHat, Google, eBay,
MySpace, Yahoo, Microsoft and a slew of others are still unable to
resolve the problem. [0]
the spreading popularity of wireless data networks may do more for
protecting Tor users against malicious exit nodes than any other
efforts in progress. perhaps big names pushing the HTTPS message will
help inform and protect users who seem to give little heed to the
prominent and oft repeated instructions to ensure encryption is used
over Tor when privacy of content, in addition to location, is needed.
it's been interesting to watch 10 years of wireless data network
deployments evolve from high dollar corporate manufacturing domains
into a myriad of applications, from free community wifi to city wide
metro networks, business offices and hotels saturated with access and
even truck stops offering high speed connectivity. the first FHSS
deployments i was involved in that long ago gave no thought to
security; an unencrypted, open link to the corporate intranet
communicating with ERP databases literally driving the entire
enterprise wasn't even a blip on the radar. when a radio costs $2000
and an access point multiples of that, the risk was low even though
the security was non-existant.
now the inverse is true, and perhaps the tide will shift to adapt to
the new realities that have brought long known weaknesses to the
forefront of the discussion. Google, as much as we all loathe their
data retention policies, appears to be doing the most in this regard.
hopefully the others will take notice and users themselves will change
behavior as these subjects become ever more visible. [1]
next time someone gives Tor heat for the perceived risks of an
untrusted network i'll point to the nearest access point and ask why
web 2.0 doesn't get it's share of scrutiny for the same tough
problems. :)
best regards,
0. Web sites may transmit authentication tokens unencrypted
http://www.kb.cert.org/vuls/id/466433
... still no progress, with the companies in question dragging their feet...
1. World's biggest websites no match for decade-old web bug
http://www.theregister.co.uk/2007/09/08/security_group_warns_of_web_vulnerabity/
"""
US CERT warned that Google, eBay, MySpace, Yahoo, and Microsoft were
vulnerable, but that list is nowhere near exhaustive. Just about any
banking website, online social network or other electronic forum that
transmits certain types of security cookies is also susceptible.
...
Indeed, awareness of this man-in-the-middle vulnerability is by no
means new. For more than a decade people have known that
authentication cookies could be manipulated, but somehow it took the
folks at Errata Security to make a presentation at Black Hat to remind
the world that the risks continue.
...
But you'd think the collective brainpower and considerable
pursestrings at the world's most elite tech companies would by now
have found a way to tackle a problem that leaves attackers free to
rifle through their users' most intimate details. It begs the
question: is this problem unsolvable or are these guys simply
uninterested in figuring it out?
...
If you're waiting for a fix, we recommend you pack a very large lunch.
And beyond that, where possible you might switch to Google, which has
already gone a long way to closing the hole.
As the only web-based email service we know of that offers a
start-to-finish SSL session, the service is among the most resilient
to cookie hijacking. Unfortunately, Gmail doesn't enable persistent
SSL by default, and has done little to educate its users about its
benefits.
"""
More information about the tor-talk
mailing list