Forgot your password?
typodupeerror
Security Encryption The Internet

Researchers Find, Analyze Forged SSL Certs In the Wild 86

Posted by timothy
from the they're-out-there dept.
An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."
This discussion has been archived. No new comments can be posted.

Researchers Find, Analyze Forged SSL Certs In the Wild

Comments Filter:
  • by Anonymous Coward on Tuesday May 13, 2014 @09:58AM (#46988973)

    Many businesses implement a man in the middle server that allows them to REGEXP the HTTPS searches and connections. Generally its a proxy out with a requirement to accept the certificate which is then applied to your local to the proxy connection, but remotely your handing the company the keys to any accounts/connections used across the board.

    There is a thought of trust your admin not to log your password/financial data etc... Its all quite bizarre but someone thought it was a good idea, or didn't understand the fully risk of the implementation.

    Just business doing what business does when its unbridled and government rules are written by that same business.

  • by moof1138 (215921) on Tuesday May 13, 2014 @10:26AM (#46989217)

    It's very common for research universities to take students from around the globe. This isn't unique to the US, either. For example, here's some Oxford's PhD students in CS:

    http://www.cs.ox.ac.uk/people/... [ox.ac.uk]

    It's a very positive thing, actually. Provincialism doesn't improve research.

Some programming languages manage to absorb change, but withstand progress. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...