Thursday, November 15, 2012

Non-Browser Software and SSL Certificate validation

Article highlighting software, code & middleware that primarily because of poor API design, and usage/configuration by developers, result in incomplete validation of SSL certificates, thus leaving systems vulnerable to man-in-the-middle attacks.

The author's frightenting conclusion, based only upong logic errors in client-side SSL certificate validation!: "Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries. When presented with self-signed and third-party certificates—including a certificate issued by a legitimate authority to a domain called —they establish SSL connections and send their secrets to a man-in-the-middle attacker."

There is a huge list of software, libraries, e-commerce SDKs, mobile SDKs, etc across many operating systems that are susceptible. This article is a must read for all developers that work with SSL/ security, and the issues should be addressed if you're dependent on any of services mentioned.

Review your usage of SSL in your environment, its one of cornerstones of security on the web and it doesn't take much effort to properly validate a certiifcate chain, and check for revocation.

The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

Wednesday, November 14, 2012

How to Devise Passwords that Drive Hackers Away

Well its a good article, even if she didn't mention WISeID :-)

By the way the "Only Password you'll ever need."

is now available for Windows and Android with Face Recognition authentication.....

for FREE, so why not download a copy now..