Hacker conference announces internet security flaw
Filed under: Technology
Just when you thought it was safe to go online, the hackers at Def Con announced a new security flaw regarding the way websites prove their validity. Currently, websites that deal with personal information make use of SSL technology to maintain a secure connection. You may be more familiar with SSL security by the little padlock icon that shows up in most browsers or the "s" that follows "HTTP" in a web address. Generally these indicators mean that anything you transmitted to the website was secure, but these newly found flaws allow for someone to tap the connection.
Basically this flaw lets a hacker trick your web browser into not looking further at a web address that has a special character in it, letting unscrupulous individuals pose as a legitimate site. From there they can collect personal information and even install software on your computer.
The good news is that the Seattle Post checked in with Microsoft and Mozilla, who make the world's most popular browsers, and learned that the issue is currently being investigated. Mozilla, makers of the Firefox browser, indicated that its latest update fixed a portion of the problem, and told the Post that, "the rest will be fixed in an update coming this week."
So take note: the next time your browser asks you to update it and you think of dismissing the notification since you're super busy, you might be saving yourself a headache down the road by spending three minutes getting up to date. Do it now, before the hackers have time to fully exploit this issue and begin attacking out-of-date computers.
While it may seem easy to get angry with the hackers at Def Con 17 for telling the world about this security issue, you should actually be thanking them. By publishing this issue they are essentially forcing the security experts who deal with SSL technology to get to work fixing the problem instead of relying on security through obscurity. The proof? Shortly after this flaw was revealed VeriSign, the company who handles SSL certificates, received applications for sites trying to exploit this security issue and turned them all down.
Reader Comments (Page 1 of 1)
8-03-2009 @ 2:42PM
Ken Smith said...
I have a PaulToni at myway dot com scam ongoing onto my AT & T card. How do I get rid of it?
Reply
8-03-2009 @ 10:05PM
Allen said...
Tim Callan, vice president of product marketing at VeriSign, responds to the BlackHat/DefCon presentations in his new SSL blogpost:
https://blogs.verisign.com/ssl-blog/2009/07/busy_day_at_black_hat.php
He fills some of the holes that these researchers dug.
@allenkelly
Reply
8-03-2009 @ 10:07PM
Josh Smith said...
Thanks! It's great to get a clear, concise breakdown like that.
8-04-2009 @ 9:52PM
Liz said...
Admittedly I was way too relaxed about my browser environment until I became more aware of the infamous browser breach of SSL, email phishing, etc.
I subscribe to security blog RSS feeds so I am privy to firefox version updates, and I have trained my 20something kids to look for Extended Validation SSL when shopping/banking.
Computer maintenance is just like housekeeping. Ignore it long enuf and some nasty stuff starts collecting in the corners of your room.
Reply