Saturday, October 24, 2009

The brower model is broken

I'm not a security specialist, but I find IT security a very interesting topic. As a longtime listener of the Security Now podcast, I listened to another interesting story: "The Broken Browser Model". The talk was inspired on a presentation given at the Black Hat conference.

Main message of the podcast is the insecurity when a mix of HTTP and HTTPS is used. The HTML coming in over an insecure connection can be manipulated by a "man-in-the-middle" (e.g. through ARP spoofing), turning all the https:// URL (and more) into standard insecure http://. The man-in-the-middle initiates the SSL connections and can sniff all information going over the connection. A 24hr test of a (unknown) public hotspot revealed passwords for Yahoo, Gmail, Paypal and more, without any of the users noticing anything.

No comments: