zondag 11 september 2011

SSL security - diginotar

In case you didn't know, everyone in between your computer and the site you're looking at can see everything you send to the site, and receive from that site. Including usernames and passwords. That is, if you're not using a secure connection to that websites. When is it secure? When the address in your URL bar starts with HTTPS instead of HTTP.

The S in httpS stands for secure. It's made secure using encryption. Anyone can make an encrytion key and certificate. But your browser won't trust them. It only trusts a set list of companies that make money by giving out certificates. Those companies are called certificate authorities (CA's).

Recently a Certificate Authority was hacked. The company is called diginotar and they hand out SSL certificates. Unfortunately the hackers got access to the system in such a way that they were able to hand themselves out certificates for any domain they wish. This means they can pretend to be amazon.com and handle payments. Or pretend to be gmail and get your username and password.
Ofcourse most browser makers (apple, microsoft, google, mozilla) have quickly removed the diginotar company from the list of trusted CA's.

But who knows which other CA's have also been hacked? Most hacks go un-announced. Is your 'secure' connection really secure? Goodbye safe feeling when doing online shopping! Goodbye feeling on privacy when reading your mail. Don't even think of being a political activist.

 Luckilly there is a solution: http://www.networknotary.org/firefox.html
This firefox plugin checks the validity of a received certificate not just from only your viewpoint, but from several viewpoints all over the world. That way a local 'Man in the Middle' attack becomes increasingly difficult.

Take note: the diginotar hack also had a certificate for the firefox addons domain. They could be sending you a different version of the plugin than the one you're really looking for. But if you're not in the middle east or China, I suspect the chances of that happening are somewhat slim.

The perspectives plugin only helps if you're on a website that's talking HTTPS. Most websites default to HTTP unless you specifically ask for HTTPS. That's somewhat annoying, having to type https all the time, forgetting, etc. There is also a plugin to help with this: http://www.eff.org/https-everywhere
It's not perfect: it only works for a specific list of websites. But you can add your own. It's a start :)

Feel safe, use perspectives! Be save, use https-everywhere!

Geen opmerkingen:

Een reactie posten