17 August 2017
Cedric Pariente

IT and Market Finance

Cedric Pariente - Racine Alpha

23Posts 137,782Views 45Comments
Finextra community

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.

SSL Critical Security Weakness Revealed

19 July 2009  |  4017 views  |  1

 

It is not new to the experts, but SSL (Secure Socket Layer) is not as secure as it is supposed to be.

The SSL security protocol is receiving a critical security update. This update does not concern the SSL encryption itself, but the authentication of the websites initiating the SSL connection.

To establish a SSL connection, a website must possess a certificate. However a method to obtain these certificates, domain validation, is easily hackable. A hacker can upload a website that looks like a legitimate website, and be identified by the browser of the user with his valid certificate. It is the basic approach of most of the phishing attacks.

To combat these attacks, a new generation of certificates has been setup. These EV (Extended Validation) certificates are delivered after a stronger due diligence of the entity having the website and cannot be obtained by a hacker, supposedly.

Anyway, even the usage of EV certificates is not a perfect solution. It is possible when you connect on an open WiFi spot to take control of the DNS (Domain Name System) of the access point and redirect the traffic to a fake website once the authentication is performed on the legitimate website. In this case the browser does not see the trick, neither does the user.

 

Feel free to leave your comments and feedback.

 

TagsSecurity

Comments: (1)

Dean Procter
Dean Procter - Transinteract - Sydney | 20 July, 2009, 01:38

Finextra readers are very well informed and  the experts who read my blog on finextra would have been aware back in February.

I don't like to harp on with too much bad news (especially before Christmas when SSL flaw was outed) because we all know there is plenty of that and I thought I'd leave that to the identity theft expert, while I went and cured us of identity theft.

It is important to remind us all that the internet is mostly illusion, especially when it comes to security.

Perhaps the illusion will embrace EV as it did green browser bars and the rest of the bull we got last year, but - as you point out - it's not perfect - and I would agree that a solution need not be perfect, but we must be aware of it's limitations.

Half a year of naked surfing while we waited for the 'fix' to SSL wouldn't have done much harm anyway eh? That horse has long ago bolted and given birth to a herd of wild ponies.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Cedric

Home Equity Loan and Home Equity Line Of Credit

12 February 2010  |  4305 views  |  0 comments | recomends Recommends 0 TagsRisk & regulationGroupOnline Banking

How to Crack WiFi Network - Video Tutorial

30 January 2010  |  8748 views  |  0 comments | recomends Recommends 0 TagsSecurityGroupOnline Banking

Credit Without a Purpose is Dangerous!

26 January 2010  |  5220 views  |  1 comments | recomends Recommends 0 TagsCardsGroupOnline Banking

Social Suicide 2.0

05 January 2010  |  4692 views  |  1 comments | recomends Recommends 0 TagsSecurityGroupOnline Banking

MC2009

25 December 2009  |  6670 views  |  0 comments | recomends Recommends 0 TagsCardsGroupOnline Banking

Cedric's profile

job title Stanford Certified Project Manager
location Paris
member since 2009
Summary profile See full profile »
I'm Cedric Pariente, a Stanford Certified Project Manager, working in both IT and Market Finance.

Cedric's expertise

Member since 2008
23 posts45 comments
What Cedric reads
Think Tank
Cedric's blog archive
2010 (4)2009 (19)

Who's commenting on Cedric's posts