Richard Forno, 2002-02-13
PKI provides Web users with a false sense of security that undermines the security of their on-line information.
Colapse all |
Post comment
PKI - Breaking the Yellow Lock
2002-02-13
Anonymous (1 replies)
Anonymous (1 replies)
PKI - Breaking the Yellow Lock
2002-02-14
Sjonnie (1 replies)
Sjonnie (1 replies)
This whole story could indeed be replaced by
"In reality, all the lock indicates is that the Web-based Internet link between the browser and the Web server is encrypted to prevent data sniffing." as stated so eloquently.
Schoene Gruesse
Sjonnie...
[ more ] [ reply ]
"In reality, all the lock indicates is that the Web-based Internet link between the browser and the Web server is encrypted to prevent data sniffing." as stated so eloquently.
Schoene Gruesse
Sjonnie...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-15
Anonymous (1 replies)
Anonymous (1 replies)
These attacks have actually been practical since the publication of Dug Song's dsniff, presented at CanSecWest last year: http://www.monkey.org/~dugsong/talks/cansecwest01/...
[ more ] [ reply ]
[ more ] [ reply ]
This is news... how?
2002-02-15
TheReject (2 replies)
TheReject (2 replies)
Your assertion that the weakness is in the implementation, and not the certificates themselves. This is indeed correct, I think you should shift the blame away from the PKI vendors and toward the corporate clients.
Blaming Verisign for a corporation's unencrypted database is absurd at best. The r...
[ more ] [ reply ]
Blaming Verisign for a corporation's unencrypted database is absurd at best. The r...
[ more ] [ reply ]
This is news... how?
2002-02-15
Rick Forno (1 replies)
Rick Forno (1 replies)
True - and call me an idealist, but the responsible thing to do is provide corporate customers with better pre-sales information, including how to deploy PKI in a secure fashion. Simply securing a webserver/browser link over the Internet doesn't mean the site is any more or less secure. IMHO, the CA...
[ more ] [ reply ]
[ more ] [ reply ]
This is news... how?
2002-02-27
Anonymous
Anonymous
This is ridiculous and irresponsible. Should I even bother pointing out that Entrust's flagship product, TruePass, was specifically designed and marketed as, among other things, a technology to overcome the lack of persistent encryption in SSL? I think the company is quite honest in pointing out ...
[ more ] [ reply ]
[ more ] [ reply ]
This is news... how?
2002-02-19
Chroma Key (1 replies)
Chroma Key (1 replies)
Granted, you are correct that the blame needs to be shifted to the corporate clients and not the PKI vendors, VeriSign contributed to the idea that the human side of security is still the weakest point. VeriSign's change in ownership forms were basic email forms that were submitted as a form letter...
[ more ] [ reply ]
[ more ] [ reply ]
This is news... how?
2002-02-20
Anonymous (1 replies)
Anonymous (1 replies)
Also, regardless of whether this is part of Verisign's business model or not, there would be value to a service that would audit a company's security before offering them a certificate. I know I'd feel better shopping at a site that had been independently audited for computer security.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
This is news... how?
2002-02-22
J. Rogers
J. Rogers
OK, so I am a lock manufacter. If you let someone in to your house and they rob you blind are you going to sue me?
This is terrible journalism. "Breaking the Yellow Lock" a grabber headline that leads the reader to believe that PKI has been broken.
This article belongs in a tabloid. Not sec...
[ more ] [ reply ]
This is terrible journalism. "Breaking the Yellow Lock" a grabber headline that leads the reader to believe that PKI has been broken.
This article belongs in a tabloid. Not sec...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-17
Anonymous
Anonymous
Good call - operating process are more critical to security outcomes than technology.
But it can be asserted that even SSL is not highly reliable, since it relies on externally (from the security perspective) managed instrastructure called DNS. A 'bad' or hacked ISP DNS can mislead its users into ...
[ more ] [ reply ]
But it can be asserted that even SSL is not highly reliable, since it relies on externally (from the security perspective) managed instrastructure called DNS. A 'bad' or hacked ISP DNS can mislead its users into ...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-17
Exothermic Reaction (2 replies)
Exothermic Reaction (2 replies)
The secure handling of sensitive data in web server backends is the primary reason I haven't trusted e-commerse yet. many of the sites I have wanted to do on-line business with, either didn't support SSL or when they did, allowed the same URL to be opened with HTTP: vs the https: not to mention wh...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-20
Oh, Please (1 replies)
Oh, Please (1 replies)
PKI - What has it to do with yellow locks anyway?
2002-03-09
Mark
Mark
Absolutely Accurate and Eloquently Put.
That is like catching a plane from New York to Washington, and then complaining that you have to find a way from the airport to your house when you have a perfectly valid airline ticket. The job of PKI is to ensure that the information arrives at the web s...
[ more ] [ reply ]
That is like catching a plane from New York to Washington, and then complaining that you have to find a way from the airport to your house when you have a perfectly valid airline ticket. The job of PKI is to ensure that the information arrives at the web s...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-20
Anonymous
Anonymous
To be fair, it's probably even *less* secure to mail-order stuff in ways that don't involve e-commerce. Be honest; do you really have any way of knowing that person you read your credit card number to over the phone isn't writing it down for later re-use? What about that waitress in the restaurant...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-18
Anonymous
Anonymous
Forget problems in the technology- there's serious issues
with vendor implementation!
I recently discovered the IBM Host on Demand SSL certs
expired in Janauary. IBM's answer- rather than issue
updated certs- "Just click thru"...
http://www-3.ibm.com/software/network/support/alert/#7 ...
[ more ] [ reply ]
with vendor implementation!
I recently discovered the IBM Host on Demand SSL certs
expired in Janauary. IBM's answer- rather than issue
updated certs- "Just click thru"...
http://www-3.ibm.com/software/network/support/alert/#7 ...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-18
Anonymous
Anonymous
Well written. The message is the same that I learned years ago in early training for the Naval Security Group, "No system can be secured from a significantly motivated person."
The internet is and will, with the exception of certain closed loop applications, always be an open system subject t...
[ more ] [ reply ]
The internet is and will, with the exception of certain closed loop applications, always be an open system subject t...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-19
A concerned person
A concerned person
This flaw has been widespread and well known for over a year. Obviously there is no "easy" way to secure an on-line transaction. One method that comes to mind is exchanging the actual public key over a phone instead of the Internet so as to verify the integrity (thus preventing a man-in-the-middle...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-19
A concerned person (1 replies)
A concerned person (1 replies)
This flaw has been widespread and well known for over a year. Obviously there is no "easy" way to secure an on-line transaction. One method that comes to mind is exchanging the actual public key over a phone instead of the Internet so as to verify the integrity (thus preventing a man-in-the-middle...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-20
WillieWang
WillieWang
Who needs a magnetic strip reader? They already have your number and expiration date--on paper and with a signature--and can instantly send it out to hundreds and thousands of people that have intentions of using it illegally if they want to. PKI is no panacea and never will be. But equating ssl ...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-20
emts@telstra.com (1 replies)
emts@telstra.com (1 replies)
I think people are looking at this the wrong way. SSL enables you to know who you are giving your credit card details to, same as doing this over the counter, what happens from there is anyones guess, who is stopping the person behind the counter taking your card details when doing face to face shop...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-23
Anonymous
Anonymous
2 issues I see:
i) The browser will accept a cert, bearing the site name, from any of the CAs the browser recognises (not those the user has chosen to trust)
ii) the domain name and the machine IP address are not securely linked by the cert, but by the independently managed DNS system, which means...
[ more ] [ reply ]
i) The browser will accept a cert, bearing the site name, from any of the CAs the browser recognises (not those the user has chosen to trust)
ii) the domain name and the machine IP address are not securely linked by the cert, but by the independently managed DNS system, which means...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-21
Anonymous (1 replies)
Anonymous (1 replies)
This al comes down to the same issue it is in most cases not the technology that has security flaws, but the way it is implemented and used. The blame is not on the vendors but on the implementors and in most cases the customer, the e-commerce or e-business site. Everybody wants security but when st...
[ more ] [ reply ]
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-02-22
Anonymous
Anonymous
It?s not budget that is the problem. It?s Profit versus risk. Business is driven by balancing risks not by striving for absolutes. Today the risk of loss versus the chance for profits is still considered acceptable by the people that control those budgets. Until adding end to end security provides a...
[ more ] [ reply ]
[ more ] [ reply ]
To the Author
2002-02-27
Anonymous (1 replies)
Anonymous (1 replies)
In your article you state:
"The problem is, (SSL Deployments) AREN’T secure. This is a fundamental problem with how PKI is deployed by the industry. And it’s something the PKI vendors such as VeriSign, Entrust, and others don’t want to discuss publicly, since it’s their prof...
[ more ] [ reply ]
"The problem is, (SSL Deployments) AREN’T secure. This is a fundamental problem with how PKI is deployed by the industry. And it’s something the PKI vendors such as VeriSign, Entrust, and others don’t want to discuss publicly, since it’s their prof...
[ more ] [ reply ]
To the Author
2002-03-02
Anonymous (1 replies)
Anonymous (1 replies)
I only refer to Bruce Schneiers "Secret and Lies". There Bruce said security is a process and not a product. How true how true......
Any encryption no matter if weak or strong is useless if the backend stores the data plain text. I am not concerned about the data transmission itself.... it is the...
[ more ] [ reply ]
Any encryption no matter if weak or strong is useless if the backend stores the data plain text. I am not concerned about the data transmission itself.... it is the...
[ more ] [ reply ]
To the Author
2002-03-04
Anonymous
Anonymous
I completely agree. The point of the original "To the Author" comment was that any Security company worth its salt will also agree. The author insinuates that certain security companies do not want to talk about weaknesses in SSL implementations, when in fact, they are dying to talk about it because...
[ more ] [ reply ]
[ more ] [ reply ]
Problem with Applications Not with Certification Authorities
2002-03-05
Lalit Bhangale
Lalit Bhangale
I am bit confused here, what shall be the scenarios in which the mentioned myths could be explored..
Everyone now a days is very clear that PKI shall be always between two parties, the moment one introduces the third one it has to fail... The reason is wellknown.
Now for this simplicity various ap...
[ more ] [ reply ]
Everyone now a days is very clear that PKI shall be always between two parties, the moment one introduces the third one it has to fail... The reason is wellknown.
Now for this simplicity various ap...
[ more ] [ reply ]
PKI - Breaking the Yellow Lock
2002-03-06
Milind Gokhale
Milind Gokhale
One must clearly understand the difference between PKI technology and web application. It is prime responsiblity of web application developer to ensure that entire processing of the transaction is secured.
PKI is a the technology and is to be used as it is supposed to be used and not as per the ...
[ more ] [ reply ]
PKI is a the technology and is to be used as it is supposed to be used and not as per the ...
[ more ] [ reply ]
My hobby for a while has been getting PKI vendors to admit that the product they sell is unecessary to a legally secure enterprise if proper legal and procedural steps are performed.
SSL is a useful tool, but the awareness that...
[ more ] [ reply ]