![]() The team looked at a number of applications and libraries supported on Linux, Windows, Android and Mac iOS platforms, and how they validate SSL certificates. The research, done by Martin Georgiev, Suman Jana and Vitaly Shmatikov of the University of Texas at Austin and Subodh Iyengar, Dan Boneh and Rishita Anubhai of Stanford University, focuses on SSL connection authentication in non-browser software. SSL encrypts network communications between clients and servers. ![]() The only class of vulnerabilities we exploit are logic errors in client-side SSL certificate validation.” ![]() “This is exactly the attack that SSL is intended to protect against,” according to the research paper “The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.“ It does not involve compromised or malicious certificate authorities, nor forged certificates, nor compromised private keys of legitimate servers. SSL connections from these programs and many others are vulnerable to a man in the middle attack. Serious security vulnerabilities were found in programs such as Amazon’s EC2 Java library, Amazon’s and PayPal’s merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. The death knell for SSL is getting louder.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |