NEWS - October 26, 2012
by Carol~ - 10/26/12 9:27 AM
Phony certificates fool faulty crypto in apps from AIM, Chase, and more
"Researchers conclude: "SSL certificate validation is completely broken" in many places." - [Screenshot]
Researchers have uncovered defects in a wide range of applications running on computers, smartphones, and Web servers that could make them susceptible to attacks exposing passwords, credit card numbers, and other sensitive data.
The Trillian and AIM instant messaging apps and an Android app offered by Chase Bank are three apps identified as vulnerable to so-called man-in-the-middle attacks. Like the other dozen or so applications identified, the threat stemmed from weak implementations of the secure sockets layer and transport layer security protocols. Together, the technologies are designed to guarantee the confidentiality and authenticity of communications between end users and servers connected over the Internet.
The weak implementations caused the programs to initiate encrypted communications without first assessing the validity of the digital certificates on the other end. As a result, one of the fundamental guarantees of the SSL—that the computer on the other end of the connection belongs to the party claiming ownership—was fundamentally compromised. Instead, the apps will trust imposter certificates that are signed by attackers or fail established validity tests for a variety of other reasons.
"Our main conclusion is that SSL certificate validation is completely broken in many critical software applications and libraries," a team of researchers wrote in a paper titled The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software (pdf). ..
Continued : http://arstechnica.com/security/2012/10/faulty-ssl-fooled-by-phony-certificates/
SSL certificates and "the most dangerous code in the world"
SSL Vulnerabilities Found in Critical Non-Browser Software Packages