Thursday, October 8, 2009

Typing Mostly Misunderstood



Over the course of the last couple of months I have blogged on the weaknesses of SSL.  In fact, the new improved EV (Extended Validation) SSL can be manipulated by the bad guys because of inherent weaknesses in browsers...







Here's more on Secure Sockets Layer web sessions from Dark Reading


At the end of the day, the cause of all these problems is that we continue to  "type" (some call it "entering") credit/debit card numbers and passwords into a box in the browser.  Typing is still mostly Misunderstood...





SSL Still Mostly Misunderstood 

By Kelly Jackson Higgins DarkReading

Most users ensure their Web sessions are using Secure Sockets Layer (SSL) before entering their credit card information, but less than half do so when typing their passwords onto a Web page, according to a new survey.



Just what SSL does and doesn't do isn't clear to many users, and the way Websites implement it doesn't help: "The biggest issue is the general population doesn't know what SSL is, why they're using it, and it's ingrained in them that it always makes them secure, which is not always the case," says Tyler Reguly, senior security engineer for nCircle, who surveyed a cross-section of users -- technical and nontechnical -- and shared the results of his findings today during a panel presentation about SSL at the SecTor Conference in Toronto.



Reguly's survey found that while 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords. "It's scary that people care so little about their passwords than they do about their credit card numbers," he says. "You see surveys saying that anywhere from 30 to 60 percent of users are using the same password everywhere, so they're probably using it for online banking, too."



It has been a rough year for SSL, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as a demonstration by researcher Mike Zusman showing how several certificate authorities (CAs) themselves are vulnerable to attacks when issuing SSL certificates. And Dan Kaminsky at Black Hat USA exposed critical flaws in X.509 certificate technology used in SSL.



Continue Dark Reading




Reblog this post [with Zemanta]

Disqus for ePayment News