Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comodo hack may reshape browser security

suraj.sun (1348507) writes | more than 3 years ago

Microsoft 1

suraj.sun (1348507) writes "Major browser makers are beginning to revisit how they handle Web authentication after last month's breach that allowed a hacker to impersonate sites including Google, Yahoo, and Skype. Currently, everyone from the Tunisian government to a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices and scores of German colleges are trusted to issue digital certificates for the largest and most popular sites on the Internet.

Microsoft's manager for trustworthy computing, Bruce Cowper, told CNET that the company is "investigating mechanisms to help better secure" certificate authorities, and Ben Laurie, a member of Google's security team, said the Mountain View, Calif., company is "thinking" about ways to upgrade Chrome to highlight possibly fraudulent certificates that "should be treated with suspicion."

Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation who has compiled a database of public Web certificates, says one way to improve security is to allow each Web site to announce what certificate provider it's using.

CNET News:"

Link to Original Source

Sorry! There are no comments related to the filter you selected.

Better idea... (1)

jonwil (467024) | more than 3 years ago | (#35707734)

Do away with greedy certificate providers like VeriSign altogether.
Store a hash of the certificate in DNS and use DNSSEC to ensure the hash (and the IP address of the server) cant be tampered with.

Certificates under this model wouldn't even include any identifying information (e.g. the company name of the company who owns the certificate).
All that SSL/DNSSEC/etc should be doing is A.Making sure that you are talking to the correct computer for the domain you are trying to access and not another computer where a hacker has hacked the DNS records and B.That the public key being used to secure the conversation matches the private key held by the computer at the other end and not a private key held by someone listening in on the conversation.

If we can validate that the certificate being offered by is the one generated by the legal owners of the domain name, we shouldn't need to care that said certificate was issued to "PayPal, Inc." or that some company has been paid to verify that "PayPal, Inc." is who they claim to be.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?