This may be what Biden calls "a big fuckin deal". Anyone who accepts cards directly on their site or otherwise uses an ssl cert needs to pay attention to this.
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids
Thanks for the link. I just had this conversation with my programmers. For another project requiring secure transfers of data, they told me how vunerable we could be.
"The time men spend in trying to impress others they could spend in doing the things by which others would be impressed."
Although I agree this is a big big problem, let's all accept the fact that Man-In-The-Middle attacks are not easy on the internet. You would need access to one of the main routers on the net to make this matter big time. Of course a spyware system running on a client's system is now able to decrypt SSL then, but it could grab the data after decryption anyway...
I know very few people that have access to major routers on the net and would use them to hack SSL streams.
"Think about it a little more and you'll agree with me, because you're smart and I'm right."
- Charlie Munger
Although I agree this is a big big problem, let's all accept the fact that Man-In-The-Middle attacks are not easy on the internet. You would need access to one of the main routers on the net to make this matter big time. Of course a spyware system running on a client's system is now able to decrypt SSL then, but it could grab the data after decryption anyway...
I know very few people that have access to major routers on the net and would use them to hack SSL streams.
hmm.
that kinda access... lets think.. should be making.. 40k-75k a year....on the avg..
vs what it could make....
over night...
So they have to actually be watching for that connection, pretty much in control of your computer or server or an entire network really, so no sniffing these out... making this really fucking hard. Then they still have to guess what some keys are.., it doesn't decrypt everything.. and it takes 30 mins to do one cookie - and they still have to guess at some data and the next transaction the encrypt changes?
While this needs to get fixed.... it's a rather weak hack.
Comment