Jumat, September 20, 2019
Text Size


Update Berita

SSL to secure from hacker attacks

Open-source software developer Kai Engert has proposed an overhaul to the Internet's SSL...

Cara Menghemat Bandwidth Internet, mempercepat browsing

Ada situasi ketika menggunakan internet kita harus benar-benar hemat dengan penggunaan bandwidth ...

Istana Merespons Aksi 313 Berhentikan Ahok

Juru Bicara Presiden Joko Widodo, Johan Budi Sapto Pribowo menegaskan, Presiden Jokowi sangat...

Twitter Bakal Sediakan Layanan Berbayar?

KOMPAS.com - Setelah selama ini hanya meyediakan layanan gratis yang didukung iklan, Twitter...

Megawati: Ahok, Sudahlah Jangan Cerewet

.   Kompas.com - Megawati menasihati Ahok agar tidak terlalu banyak bicara. Mengingat kondi...

  • Tips mengatasi bosen dalam pekerjaan

    Kamis, 01 November 2012 07:48
  • Grunt Mars probe stranded in Earth orbit

    Kamis, 10 November 2011 09:40
  • SSL to secure from hacker attacks

    Senin, 27 Februari 2012 21:09
  • Cara Menghemat Bandwidth Internet, mempercepat browsing

    Minggu, 23 September 2012 18:03
  • Istana Merespons Aksi 313 Berhentikan Ahok

    Kamis, 30 Maret 2017 19:45
  • Twitter Bakal Sediakan Layanan Berbayar?

    Kamis, 30 Maret 2017 19:49
  • Megawati: Ahok, Sudahlah Jangan Cerewet

    Kamis, 30 Maret 2017 19:54
  • Cloud Vultr

    Senin, 01 Juli 2019 04:39
Internet Friendly SSL to secure from hacker attacks
SocialTwist Tell-a-Friend

SSL to secure from hacker attacks

Penilaian Pengunjung: / 2

Open-source software developer Kai Engert has proposed an overhaul to the Internet's SSL authentication system, aiming to minimize the damage that would result from the compromise of one of the authorities trusted by major browsers.

Under version 2 (PDF) of Engert's Mutually Endorsing CA Infrastructure proposal, people connecting to Google Mail, Twitter and other sites protected by SSL would draw on one of three randomly selected notaries to verify that the digital credential being presented is valid. By comparing the SSL certificate's contents to data contained in the voucher returned by the notary, the person's Web browser or e-mail program could quickly spot credentials that have been forged, even when they've been signed using the private key of a legitimate certificate authority. The notaries—or "voucher authorities" as they're called—would be made up of existing CAs.

"The introduction and requirement of vouchers has the benefit that controlling a single CA will no longer be sufficient," Engert, a software developer at Red Hat and a contributor to the Mozilla Project's security team, wrote in the proposal. "If the presence of a valid voucher were mandatory, at least two CAs would have to be involved to create a working rogue identity, one CA signing the certificate, another CA using its VA to produce a voucher."

At a minimum, the vouchers would contain a cryptographic hash of the certificate the end user wants to access, a single IP address used by the site, a timestamp recording when the data was collected, and a digital signature using the underlying VA's private key. It might also include data concerning intermediate certificates used by the SSL certificate, recent OCSP—or online certificate status protocol—responses for the certificate and intermediate certificates, and proof that the VA signing certificate hasn't been revoked.

Fractures in the Web's foundation of trust

Critics have complained for years that the web of trust used to prevent eavesdropping on webmail, banking transactions, and other sensitive Internet-based sessions is hopelessly broken. With more than 600 entities authorized to mint certificates that are trusted by major browsers, all it takes is the compromise of one of them for an attacker to forge a credential for any site. That point was dramatically underscored last year when hackers breached Netherlands-based DigiNotar and created counterfeit credentials for Google Mail, Mozilla's add-ons download site, and other sensitive services. The Gmail certificate alone was used to snoop on an estimated 300,000 Gmail users, an audit later showed.

Since then, a flurry of competing alternatives and enhancements to the fractured SSL system have surfaced. Among them is Convergence, proposed by Moxie Marlinspike, a researcher who has repeatedly exposed serious flaws in the underlying SSL protocol. Convergence relies on a loose confederation of notaries that independently vouch for the validity of a given SSL certificate. One of the key benefits of the system is a "trust agility" that allows users to query specific notaries they trust.

It also provides privacy protections not available with regular SSL. Under the current system, certificate authorities track huge numbers of requests for SSL-protected websites and map them to individual IP addresses. Convergence uses two separate notaries that are intentionally kept in the dark when vouching for a certificate. One notary gets to see the IP address of the Convergence user but not the SSL certificate she wants validated. The other one sees the certificate but not the IP address.

Last year, Convergence got a strong endorsement from security firm Qualys, when it deployed two notary servers. Developers for the Google Chrome, meanwhile, have said they have no plans to add it to the browser.

Google researchers have proposed their own fixes (PDF) for the ailing SSL system. Under their new system, CAs would be required to publish the cryptographic details of every credential they sign to a publicly accessible log that's also been cryptographically signed to guarantee its accuracy. Some CAs have baulked at the proposal, saying it would require them to part with proprietary customer data. The Google plan would also place technical burdens on websites and browser makers, these critics have said.

The latest proposal comes a day after Ivan Ristic of Qualys released a set of SSL/TLS deployment best practices (PDF) that administrators can follow to avoid common configuration mistakes. He said that his company has conducted surveys and found that two-thirds of all SSL servers are badly set up and that of the remaining third "many have application-level issues that fully compromise SSL."

"The truth is that most experts are attracted to the CA trust problem, but, in reality, most SSL installations fail because of configuration and implementation errors," he added.

"Like speaking with a corpse in your mouth"

The changes envisioned by Engert are in many ways similar to Convergence, except that notaries would be limited to existing CAs and would be chosen randomly by the client software rather than by the end user. Marlinspike characterized the difference as a major shortcoming.

"This is just Convergence without the good parts," he wrote in an email. "The problem we need to solve is the lack of trust agility in the CA system. Speaking about solutions to the CA system which don't provide trust agility is like speaking with a corpse in your mouth."

The proposed fix is also receiving a chilly reception from some CAs. Comodo Senior Scientist Phillip Hallam Baker wrote: "It might help if implemented. But probably not very much. Having two parties do essentially the same check in the same way is not likely to result in much reduction in risk."

In his own email to Ars, Engert said the proposal is an update to one he first floated (PDF) at a security conference late last year.

"The document v2 is the result of thinking about the initial ideas more, taking into consideration the thoughts and feedback that I had received from various sources," he wrote. "I'm hoping my proposal can be helpful inspiration for finding a solution for the trust problem."

Add New Search
teen pussy  - SSL to secure from hacker attacks - World Friend I   |108.162.210.xxx |2015-12-02 11:33:32
Hey Guys, If you are interested in all the Free Sex you want, Check out
anal sex  - SSL to secure from hacker attacks - World Friend I   |108.162.210.xxx |2015-12-06 15:56:47
Free Pussy, Adult Webcams, We love to Make you happy, Vividstream.xxx
Delhi escorts Service  - SSL to secure from hacker attacks - World Friend I   |173.245.48.xxx |2017-12-03 10:17:18
Hi there, You've done a fantastic job. I will definitely digg it and
individually recommend to my friends. I am sure they will be benefited from this
web site.
Denver Wempe  - SSL to secure from hacker attacks - World Friend I   |162.158.126.xxx |2018-02-06 22:37:18
Character problem. empty comment
Tosha Minic  - SSL to secure from hacker attacks - World Friend I   |162.158.126.xxx |2018-02-07 17:13:35
Character problem. empty comment
Daftar MixParlay Online  - SSL to secure from hacker attacks - World Friend I   |172.69.138.xxx |2018-07-15 16:19:33
You have probably come across this short article as you want to use your
personal machine and your connection to the internet in an attempt to make some
[url="http://comfortbet.info/category/agen-sic bo-online/"
rel="dofollow" title="Agen SicBo Online"
youtube to fb  - SSL to secure from hacker attacks - World Friend I   |172.69.234.xxx |2019-08-01 02:52:08
https://youtubetofb.me/ Free Make A Large YouTube Video Thumbnails For FaceBook.
Write comment
Please input the anti-spam code that you can read in the image.

3.25 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

Advertisement Site

Ads - World Friend

Ads - World Friend

Berita lain-lainnya

Kapan Mobil Bisa Jalan Sendiri Dijual di Indonesia?
29/07/2016 | Indra Febria Widy
article thumbnail

VIVA.co.id – Belakangan banyak pabrikan otomotif dunia yang terus mengembangkan mobil yang dapat berjalan sendiri tanpa harus dikemudikan alias autonomous. Meski saat ini mobil-mobil it [ ... ]

US busts Google, Apple, Intel over secret employee poaching pact
26/09/2010 | Indra Febria Widy
article thumbnail

You've heard of the government's "Do Not Call" list aimed at shutting down unwanted telemarketers—but did you know that many tech companies have a "Do Not Cold Call" list aimed at shutting d [ ... ]