digg

Facebook Connect Join Digg About

Breaking Web Browsers' Trust

technologyreview.com Researchers reveal a flaw with the way most Web browsers treat secure connections.

Who dugg this? Made popular May 22, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

21 Comments

show profanity settings
expand all
  • badwithcomputer, on 05/22/2009, -2/+16i break web browsers for breakfast
  • jggube, on 05/22/2009, -4/+13The problem stems from broken, outdated connection protocols. It's like emails, if you guys only knew how poor emails are in terms of security and performance, you'd never use it.
  • mattofasia, on 05/22/2009, -0/+6They can steal all they want! Nobody needs to pay anyone back these days.
  • inactive, on 05/22/2009, -0/+6I would expect more technology in an article published by MIT Technology Review. This article may as well have been from Reader's Digest.
  • freezerburn666, on 05/22/2009, -2/+6I'M MUCH MORE AFRAID OF SHARKS
  • FredFredrickson, on 05/22/2009, -0/+2We're talking about web browsers here, not web browsers.
  • Frayed_Knot, on 05/24/2009, -0/+2Yes, a proxy can be a man in the middle, but the certificates won't match.
    This is sometimes the way things are set up in corporate IT environments. They want to see (and filter) what their employees are up to, so they intercept the SSL connection between the employee's browser and the SSL server. The corporate proxy server will also make an SSL connection back to the employee's browser, so he still sees "https" in his address bar, but if he looked at the certificate, he'd see that it's from his company's proxy server, not his bank or whatever.

    Yes, this means that his employer can be spying on all his SSL traffic. Passwords and everything.

    Is this a flaw in the browser? It's debatable. All it could really do is draw more attention to it, but most users would ignore that anyway.
  • Trevahaha, on 05/22/2009, -0/+2Requests, but not the contents of the messages when they finish the handshake. The proxy is just aware of the communication between the two, along with routers, firewalls, etc.
  • uggyed, on 05/30/2009, -0/+1You're right and you're wrong. The encryption on EV is the same, but from my experience the green url bar IS useful for preventing phishing attacks, because users have a more obvious way of differentiating between "real" urls and "phish" urls (as far as I know the green url bar has not been duplicated successfully by scammers). It's no more technologically robust -- it's just a better way to prevent user error, which is how phishers succeed.

    Plus, CAs research companies who buy EV certs more thoroughly.

    >>They could have made all SSL connections show the green bar to indicate your on a secure site,

    Actually this I somewhat agree with, but SSL connections are too easy to get or "self-sign," so turning everything green would pretty much land us the same position.
  • Elohir, on 05/22/2009, -1/+2I do a bit of web security testing and I was amazed when I found out SSLd requests are fully visible to an intermediate (man-in-the-middle style) proxy.
  • akoto, on 05/22/2009, -1/+2I was wondering the same thing. All the other webkit browsers seem to have made the list.
  • MarineDigg80, on 05/22/2009, -1/+2I am just glad that it was people working for the good of all that found this flaw before the scammers hackers and everyone who would utilize it to their own ends did. (damn if only I had know) JK
  • fungie5, on 05/23/2009, -0/+1Safari is always the first browser to be hacked in hacking competitions, and it was the only browser to be hacked by drive-by methods this year's PWN2OWN hacking competition.

    It's more likely that they never tested Safari - their investigative tools are probably Windows-based and at the time of their investigation (in 2007) Safari had probably not yet been ported to Windows and was still Mac-only (the Windows version only came out on June 11th 2007).
  • Frayed_Knot, on 05/24/2009, -0/+1I eat pieces of ***** like you for breakfast.
  • v4vishal, on 05/22/2009, -0/+1Why do you scream? That too in poor English.
  • eriic, on 05/30/2009, -0/+0Extended validation is just a scam against website operators.
    They charge $700 for them to activate a green bar that does nothing.

    Its no more secure then ordinary SSL, its not harder to crack or use better encryption, the only difference is the color of the bar, there are no other differences whatsoever.

    They could have made all SSL connections show the green bar to indicate your on a secure site, but instead they want people to think the green bar makes them more secure, so website operators are forced to spend $700 instead of $12, like the theives care about spending someone elses stolen money.

    Its like painting your front door green, but not changing the locks.
  • uggyed, on 05/24/2009, -0/+0As continually distressing as all of these vulnerability findings are, at least this one seems to be getting to the heart of the problem -- browser technology rather than encryption technology. Honestly, there's not a great solution to this problem -- as Frayed Knot points out, the only real existing safeguard is to try to draw more attention to MITM attacks when they occur. I might quibble with the point that "most users ignore" such solutions, however -- Extended Validation SSL, for example, has proven highly effective as a phishing/MITM warning, and it'll only get more effective as more sites start using it. It would be even better, however, to see browsers tightening up connections between themselves and websites, but I don't know what it'll take for that to happen.
  • eriic, on 05/24/2009, -0/+0lol i figured this trick out years ago when i worked at an office that would bring up an "access denied" message to some SSL pages.

    How you do it is when your browser is configured to use a proxy, to connect to SSL page it sends a command like
    "CONNECT www.paypal.com:443 HTTP/1.1"

    Now normally the proxy will return a code "220 OK" and the encrypted ssl connection will work and be fully secured.
    But the proxy can also deny the CONNECT request and show an error page (of the proxys choice) to the browser.

    A man in the middle, or a malicious proxy could deny the connection but send back an "error" page that LOOKS like what the user would expect if the connection succeeded.

    The URL bar would still say https, the padlock would be missing but still very effective.
    Perfect phishing scam.
  • renanrrinaldi, on 05/22/2009, -2/+2I'm a shark!
  • naderslim, on 05/22/2009, -4/+3Safari doesn't seem to be mentioned at all. I'm wondering if it is more secure, or perhaps it wasn't included in their testing?
  • dryhump, on 05/22/2009, -9/+3Who cares. Oh no, someone just spied on me telling my wife about my obnoxious co-workers. The horror!

    If you are sending your credit card numbers or w-2's through email you are a dumbass.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.