HTTPS under Attack

by Boshi W
HTTPS might not be as secure as it claims to be according to a news article by informationweek early September. Apparently, attackers can abuse a exploit in SSL/TLS implentation and issued false credentials for many popular sites like Gmail and Windows update. Luckily, these exploits were built by security reseachers to illustrate the safety of the browsers. “Juliano Rizzo and Thai Duong have built a tool that’s capable of decrypting and obtaining the autehtication toekns and cookeies used in many websites HTTPS requests”, Schwarts informed, “and many sites relying on SSL/TLS for security can be easily infiltrated and bypassed.” Even the top secure Paypal authentication cookies can be decoded, leading to decrypted account infos and access privilege.

Lucky for us, the security loopholes are currently being patched and some of the more secure browsers like Opera have currently updated their security features to prevent this from happening. While the loopholes are being patched, a new worry arose. The vulnerability from Microsoft ASP.net returning semi-detailed error-messages could lead to a potential information leakage since an educated guess would be all one needed to guess out the encryption key being used. It is said that Microsoft is working on an emergency patch to fix this issue.

Its not surprising to be that these loopholes exist no matter how many patches there can be. This is due to the fact that softwares are just codes put together to do a certain task, and since it follows logic, it cannot outsmart a human being who can work around to solve a problem. We cannot fully rely on a security software to keep our informations secured, but we should think with our brains when it comes to safety. Afterall, the best defense is you in control.

Schwarts, M. (2011). HTTPS Vulnerable To Crypto Attack. InformationWeek, 1(1), 1. Retrieved November 19, 2011, from the Proquest database.