Discussion on:
View:
Show:
I've been concerned about this for a while - now my concerns are validated! Thanks Michael!
It also begs the question about computer apps and SSL -- the more I think about it. I just assumed...
The listed problems are not limited to Android apps using SSL. They are also present on non browser apps using SSL for many platforms. See the recent paper from M. GEORGIEV et al. [1]
Furthermore, SSL has been seriously challenged by the community in the last year. This is a good thing as SSL/TLS becomes dominant and thus an interesting target. It is important to discover the vulnerabilities of the protocol and of the different implementations and use. We have made a review of the latest discovered issues of SSL in our security newsletter 22. (http://eric-diehl.com/wp-content/uploads/2012/05/Security-Newsletter-22.pdf)
[1] M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, The most dangerous code in the world: validating SSL certificates in non-browser software, Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA: ACM, 2012, pp. 3849.
Furthermore, SSL has been seriously challenged by the community in the last year. This is a good thing as SSL/TLS becomes dominant and thus an interesting target. It is important to discover the vulnerabilities of the protocol and of the different implementations and use. We have made a review of the latest discovered issues of SSL in our security newsletter 22. (http://eric-diehl.com/wp-content/uploads/2012/05/Security-Newsletter-22.pdf)
[1] M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, The most dangerous code in the world: validating SSL certificates in non-browser software, Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA: ACM, 2012, pp. 3849.
It is always good to get input from you and your team. That is quite a newsletter. The cover is neat. A recent article of mine was about side-channels and VMs. Also congratulations on the book.
One of my big concerns with mobile SSL is session riding - maybe Trusteer will come up with something; but quite frankly, I have no idea whether Chrome can mitigate that problem or not; or even if it has a sandbox in mobile versions.
They have been up front about SSL/TLS. It's the apps that are not.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
