Dark Reading
Protect The Business - Enable Access
Do more than just cursory scans. Develop
a holistic approach to app security.
Find out how!
Learn to take the ambiguity out of managing IT so you can guide your business forward.
Download now!
Use these tips from Gartner to identify the EPP solution that best suits your business.
Download now!
The Future of Web Authentication
Many security experts believe the Internet's trust model is broken. Figuring out how to fix it will take time and collaboration By Ericka Chickowski
Web authentication protocols took a pounding last year. Problems with the Secure Sockets Layer and Transport Layer Security protocols, which encrypt all sorts of communication among websites, were at the center of several security breaches. Hacks of high-profile certificate authority providers undermined the security of some of the Internet's biggest brands, including Google and Yahoo; new man-in-the-middle attacks hit the Web; and the powerful Beast vulnerability exposed the most commonly used versions of SSL and TLS.
Taken as a whole, it appears the Internet's trust model is broken. However, many security experts aren't ready to scrap SSL. Rather than starting over, they recommend fixing the existing system. It's clear that we need to evolve the way we authenticate on the Web; the question is, how?
"Anything that requires us to migrate the entire Internet to a different protocol isn't going to happen," says Moxie Marlinspike, a noted SSL researcher and co-founder of Whisper Systems, a mobile security software developer that Twitter acquired in November. "Right now, particularly in this space, ideas are easy, but it's getting it done that's the hard part."
How We Got Here
Netscape created SSL in the 1990s as a way to encrypt sensitive information transmitted as part of online transactions--from login credentials to financial transactions. TLS 1.0 came out in 1999 (nearly identical to the then-current SSL version), and new versions have followed. While TLS is the most advanced protocol for authenticating online transactions, common parlance often refers to it as SSL.
Web authentication rests on the integrity of the certificate authorities. CAs check the identities of websites and issue public key infrastructure certificates, which are then used to verify websites' authenticity and enable the transmission of encrypted information between Web browsers and SSL servers.
When a person wants to view or interact with an HTTPS site--a secure site that uses the SSL protocol--the Web browser requests that the Web server identify itself. The server provides a copy of its SSL certificate, and the browser decides if it trusts the certificate and the site before agreeing to exchange encrypted data (see diagram, below).
The weak links in the SSL scheme are that there's no overarching system or authority to rate, rank, or approve CAs, and there are no standards for how certificates are issued. It's up to the browser vendor to decide whether to trust a specific CA, and those vendors haven't been careful enough with those decisions.
1 | 2 | 3 | Next Page »
CA To Acquire Authentication Vendor Arcot Systems Inc. 08/30/2010
China, Taiwan Nab 450 Suspects In Biggest Fraud Raid Ever 08/30/2010
DNS DDOS Threats and Corresponding Mitigation Strategies 03/23/2010
Spoofing Server - to - Server Communication: How You Can Prevent It 03/11/2010
DIGITAL ASSETS
Understanding Web Application Security Challenges
08/24/2010
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSHow To Detect And Root Out Sophisticated Malware
Are You A Human Confirms Man Or Machine With Games
State Of Utah Fires Tech Director Over Breach
MORE KEYHOLE
Published:2010-11-03
Severity:High
Description:Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method.
Published:2010-11-03
Severity:High
Description:Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information.
Published:2010-11-03
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
Published:2010-11-03
Severity:High
Description:Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter.
Published:2010-11-03
Severity:Medium
Description:SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
|
