Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.
Hacker groups have reported that man-in-the-middle attacks can be used to strip away the benefits of SSL security when transacting online. However, says the inventor of SSL, these are a browser problem and, moreso, they're not so black and white.
Dr Taher Elgamal has been in Australia for the AusCERT 2009 Asia Pacific Information Security Conference where he delivered the keynote speech.
Dr Elgamal was the force behind the Secure Socket Layer – or SSL – when he worked for Netscape Communications back in its hey-day.
Man in the middle attacks – or MiiM – are so called because, simply put, they inject a proxy in between a browser and a web server. The web browser requests a certificate and the proxy is able to intercept what is returned and deliver its own trustworthy intermediate certificate instead.
Dr Elgamal says this is not a flaw in the SSL protocol itself. It’s actually a problem with the browser trust model and it happens because the browser is able to trust a lot of different things.
In fact, the discussion about browser trust models, he says, been going on for 15 years. From a security standpoint you want a tighter trust model in the browser. Yet, if you are in the business of shipping a web browser to a billion people then you want the most flexible solution.
As a result, Elgamal argues, web browsers have effectively pushed the burden of trust onto humans. It is the human operator who must ensure they are genuinely using the web site they mean to be, that the site they are using is trustworthy, that their communications are secured.
MiiM attacks can be used for malicious purposes. If a rogue proxy can convince a web browser that is the bank, and convince the bank that it is the web browser, then the proxy can see all the traffic flowing between the two and can modify it.
The solution, Dr Elgamal says, is that financial institutions must have more control over these situations and that requires a better trust model in the web browser itself for banking applications.
Yet, at the same time, MiiM is not all bad. Elgamal raises the scenario of employees within a company leaking confidential data.
Enterprises lose control of their information when employees start SSL sessions. No matter how many controls are on the corporate desktop these are bypassed when the channel is completely encrypted.
This means there is actually a valid and legitimate reason, he proposes, for enterprises to use MiiM to ensure there is no leakage of data via such encrypted channels.
David Bass
| For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…
How to Make Business Discovery Work for Your Business
Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more
Try an easy-to-use set of web-enabled
tools for business-class productivity services. Office 365 provides
anywhere-access to email, important documents, contacts, and calendars
on almost any device.
LATEST HEADLINES FROM YOUR IT
