More Security Failures in the Intarwebz
Last summer, I brought you the story of how the Domain Name System (DNS) was under threat and how many of the world’s top tech companies were working together to solve it. Unfortunately, not everyone has updated the software on their servers to fix this flaw. While it’s not as big of a threat as it was last summer, it still poses a danger to the web. Almost a year ago, I explained a flaw in the encryption system that you use to securely connect to online banking sites and to safely purchase goods from Amazon, eBay, and many others. Today there’s more news about ways for that encryption (https) can fail.
The new attack is what’s known as a “man in the middle” attack. What this means is that some evildoer, or someone who just wants your money, watches your network and waits for you to go to your bank’s website. When you do that, the evildoer inserts himself in the middle of the communication and can start adding to the information that’s going back and forth. This allows him to do all sorts of nasty stuff from stealing your online banking information to tricking your browser to download malicious software onto your computer. Ideally, this is one of the things that the encryption is supposed to prevent. If all the communication between you and the server is protected with encryption, no one can insert themselves into your conversation. However, there is a flaw in the design of the protocol which allows this to happen at a crucial moment.
The flaw was came to prominence a few weeks ago, but many researchers said that the flaw was so difficult to exploit that it wouldn’t be a serious security threat. Then, a few days ago, a Turkish student used the flaw to steal some user names and passwords for Twitter. Fear not, he was not being malicious, but simply proving to the security community that this is a serious flaw that needs to be taken seriously instead of simply being dismissed. Twitter has since made changes to prevent the same thing from happening again and industry groups have begun meetings to determine a more permanent fix for this problem. These meetings have been going on since September, but it’s unclear if a solution has been found yet. This, like the other security problems I’ve written about before, will be fixed soon, but it will take a long time for the fix to go into wide use. It’s also a reminder that even our best and brightest will make mistakes sometimes with wide ranging impacts on our economy and the way we communicate.
image by http://www.flickr.com/photos/23905174@N00/