Last week was a terrible week for password breaches. First LinkedIn revealed that ~6.5 million password hashes were posted online. Hot on the heels came the news that online dating website eHarmony and streaming music site Last.fm have suffered similar breaches.
Are these breaches a surprise? No, not really. Websites entice customers by offering compelling features and services, and customers are rarely willing or able to compare the security properties of competing services. Even if a website uses SSL to protect a password in transit, the password will typically be exposed on web servers and datacentre networks every time it is supplied by the user before it is hashed for comparison.
Continue reading "The death of the password?" »
Weaknesses in the SSL protocol (the protocol for encrypting information over the internet) or the public certificate authority (CA) ecosystem that underpin it have received a lot of coverage recently and the last couple of weeks have been no exception. The pervasive nature of SSL and its unique role in securing ecommerce and numerous cloud services makes SSL attractive to security researchers and attackers alike. However, many of the lessons learnt are in no way specific to SSL and must be applied to other Public Key Infrastructure (PKI) and encryption deployments if we're to avoid handing potential attackers a skeleton key to access our sensitive data or critical infrastructure:
- Recent research by École Polytechnique Fédérale de Lausanne has reminded us that for encryption or digital signatures to be effective keys must have a strong provenance as well as strong protection for their entire lifecycle. Keys generated by a software algorithm and without a good source of entropy or randomness can be easy to crack and so are vulnerable to attack.
Continue reading "No skeleton key – protecting your organisation on the web" »
It's good news that Google have announced their continued expansion of the use of SSL which means that certain Google searches (and the results) will be encrypted. There's already been pressure to turn on encryption at corporate and domestic WiFi hotspots to prevent theft of passwords and other information by sniffers on the local hotspot but it must be remembered that this still only protects communication between the user's computer or phone and WiFi access point. Traffic flowing on the wired network across the various hops and interconnection points that make up the internet to get to websites such as Google is typically unencrypted. The solution is for web site operators to deploy technologies like SSL to provide end to end encryption from the consumer all the way back to their site. It's good to see that https (aka SSL), is now gradually replacing http, even for free services like Google search.
Continue reading "SSL- moving forward" »
