Security News You Won’t Want to Miss

It's secure because it says so.Sometimes news comes in waves, and with the recent conclusion of the Black Hat conference in Las Vegas, there’s quite a bit of security news floating around. Here are a few things we thought were especially interesting:

BREACH: The New SSL Attack That’s Hard to Stop

SSL underlies much of the Internet’s security, and attacks against it can be devastating. We want secure transactions with ecommerce sites, safe transmission of passwords, and assurances that we’re interacting with the right people online. Thwarting SSL’s cryptography can undo a lot of that trust and power, making it difficult for people to securely interact with each other online.

This is why many people are worried about a demonstration at Black Hat showing a new method for breaking SSL cryptography called BREACH. The researchers who discovered the method showed that in certain scenarios involving data compression they could extract the underlying ciphertext or secret securing a connection. The attack is complex, but the results were astonishing. During the presentation, the researchers were able to uncover the ciphertext securing an Outlook Web Access session in under 30 seconds.

Unfortunately, there’s no good fix for this problem right now, although Ars Technica has a couple of ideas. The most common recommendation is that you should disable server-side compression. In addition, a member of the Ruby community has also proposed a clever solution that simultaneously offers improved security against cross site request forgery attacks.

RSA Encryption: It May Be Weaker Than We Thought

Also at Black Hat, four security researchers gave a presentation about how the RSA and Diffie-Hellman cryptography algorithms may be cracked in the next 5 years. The researchers believe that new techniques will emerge in the next few years that simplify solving the discrete logarithm problem, which will subsequently cripple these algorithms.

So what does it all mean? Well, RSA turns out to be the foundation of a whole lot of cryptography, including the above mentioned SSL. (It’s not been a good week for SSL.) Breaking RSA would permit attackers to crack SSL and read or modify your personal information (assuming they didn’t get their fill from the BREACH attack).

So what’s the solution to this problem? Well it turns out the NSA, when not reading the emails of regular Americans, has for the last several years recommended we all switch to elliptic curve cryptography (or ECC for short). In a rare case of international agreement, it turns out the Russians have been saying the same thing.

The only catch? Many of the patents for ECC are currently owned by Research In Motion, making it hard for anyone to get a head start implementing it on a global basis. We may be stuck with RSA for a little bit longer.

Problems With Chrome: Password Storage

Continue Reading

SSL is Broken and Nearly Impossible to Fix

SSL is the protocol that underlies most of the Internet’s encrypted traffic, and lately many people have begun to realize that SSL is flawed in a pretty obvious and easily exploited way.

SSL relies on certificates to setup a secure connection between computers. Generating a certificate is easy, and it’s possible to create a valid certificate for any address on the Internet. Certificate authorities (or CAs) ensure trust and prevent mayhem by validating the certificate owner is who they claim to be and then adding a signature to a certificate labeling it as legitimate.

When you visit a secure website, your browser gets a certificate signed by an authority saying that this website is authentic. The browser compares that signature against its own built-in list of known certificate authorities (and their public keys). How many authorities does your browser know about? Try more than 600!

The SSL certificate authority model works well if you assume the authority treats its super-secret private key like the gold in Fort Knox: the key is only handled by a small group of Internet priests who open the vault in a solemn ritual, remove the key, calculate a signature using nothing but slide rules and chalkboards, and then hastily return their private key to the sacred vault. Obviously, most CAs skip this time consuming and expensive process and trust their computer systems to manage their private key securely in a way that’s resistant to theft by outsiders.

If you think 600 different people can secure their data perfectly, then have we got news for you. I could throw a party for 600 of the smartest people in the world, and chances are good that one of them would forget to wear deodorant. You simply can’t trust 600 different certificate authorities to properly manage their private keys.

And this is the problem. All it takes to compromise SSL is to get access to a single private key from one of the 600 certificate authorities. Once I have that, I can create a certificate claiming to be any site on the web, and your browser will accept it without question.

Continue Reading

SSL Bug Slaps Twitter

He's not dead, he's just pining for the fjords!When your app gets hacked because of a bug in your code, that’s pretty bad.  But when your app gets hacked because of a bug in an underlying protocol that’s a building block of the Internet, then you’re looking at a really serious problem.

Such is the case with Twitter, which last week was shown to be vulnerable to a bug in the SSL standard.  SSL is the protocol that encrypts data going back and forth on the web, keeping our credit card numbers, usernames, passwords, and everything else safe and secure.  The trouble is, it’s broken and has been since the mid-1990s.

Right now, the IETF (the standards setting body for the Internet and the closest thing to an Internet Illuminati) has started drafting an update for SSL, but such things take time.  In the mean time, sites like Twitter are suffering the consequences.

Continue Reading