[sf-lug] USB has critical vunerability.

Rick Moen rick at linuxmafia.com
Fri Aug 8 20:55:27 PDT 2014


Quoting Jeff Bragg (jackofnotrades at gmail.com):

> It's worse than just that.  A bunch of things seem to be stunningly broken.
> 
> More info from the BlackHat conference:
> http://techcrunch.com/2014/08/08/black-hat-breakdown/
> 
> A breakdown for non-experts of the multiple way TLS/SSL is broken:
> http://bh.ht.vc/summary.pdf

TLS/SSL has been known to be badly broken for quite a few years.
Bruce Schneier's chapter in _Secrets and Lies_ about how deficient
the Certificate Authority system is, was a real eye-opener, for example.

I note that the BlackHat presentations give further reasons to distrust
the use of external single-signon providers by large service providers
(such as Facebook, Google, Twitter, LinkedIn, etc.) if you seriously 
expect TLS session encryption to give you any kind of privacy, and 
also to distrust cloud servers handling multiple alleged private sites'
traffic.

The Cookie Cutter attack is possibly only if HTTP cookies get sleazed
outside the HTTPS channel, which unfortunately is sadly common.  

It is _supposed_ to preventable entirely if the Web site includes HTTP
Strict Transport Security (HSTS) headers with all content:  This header
signals the browser that connections to the site should always use
TLS/SSL for everything with no fallback to HTTP for any reason.  
The talk slides say something about 'truncation' playing havoc with this
intention, but I can't figure out from the slides alone what the meaning
is.

The slides stress how important 'same origin policy' in a browser is,
and I agree.  That's one reason I use several of the Firefox browser 
extensions I do, to try to prevent cross-domain monkey business on the
Web, notably RequestPolicy and NoScript (referring, here, to its
Anti-XSS functions).

I note in passing that NoScript has the ability to force HTTP cookies 
unconditionally over HTTPS.





More information about the sf-lug mailing list