|
|
|
Identity Threats in Next Generation Protocols |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Today most of the identity oriented transactions on the Internet are done via plain old HTML forms and, if we're lucky, over SSL. And once again, something that seemed sufficient at first, is showing strain as usage grows. HTML HTTP ends up providing a pretty clumsy and inadequate way to do identity transactions. It offers a poor user experience and wasn't really designed with security in mind. This has contributed to much of the grief over fraud, phishing, etc. Our primary defense mechanism against such threats has historically been the SSL certificate, but we know users don't read those. We also know users don't look too carefully at URLs even when they are not obsfucated . Some of the more risk prone sites have resorted to different site authentication gimmicks like image recognition, though these, too, seem to fail to improve the situation much. The point is that we've reached a time when finally there seems to be enough pressure to drive us to adopt some better or at least improved methods of handling identity data. Certainly, we've seen this before, though most of the previous efforts have been very enterprise focused which doesn't help the average guy trying to buy a camera off some Internet merchant or auction site . Two particular efforts seem to be gaining traction Microsoft's Cardspace and an open effort called OpenID. These both provide significant improvements in usability and security model. It remains to be seen if they will be widely adopted and how well the design holds up against attack long term. While a detailed security analysis of each of these efforts would be interesting, it's a little beyond the length of the average blog entry here. But it is educational to take a look at how each effort deals with the issue of site authentication. I think this is one of the key security considerations of any identity solution. Even if the system itself is very strong, once I decide to give my information to someone, I need to trust that it will be handled it properly. To do that I need to know who I'm dealing with. Cardspace uses extended validation certificates to address the problem of site authentication. The general notion of an EV cert is that there is more validation done before it is given, and that browsers will indicate if an EV cert is present or not to guide the user. I don't really think this is going to solve the problem much, if at all. First, better validation is a trade off. Stronger validation often ends up squeezing out the legitimate little guy. Yet, if you lower the requirements to accommodate a broader group, you open up potential for the bad guys to more easily get certified. This has been pointed out by several people in the security community. It's also questionable if users will even pay attention to the extended information. A recent paper suggests that it will offer little improvement. In the OpenID model, there has been discussion of risks where a user connects to a malicious merchant who then basically phishes their authentication credentials to the OpenID server. This would allow the phisher to later connect to other sites with the user's credentials. The core of this problem, of course, is the user's ability to authenticate the site or at least the OpenID server . Last week at RSA there was an interesting announcement about OpenID and Cardspace working together. One thing this would allow is the use of Cardspace authentication between the user and the OpenID server. Because Cardspace authentication is not based on simple username password it would not allow the phisher to capture and reuse authentication information. The general notion of movement away from user pass would be good a thing, though we'll see how this gets implemented. This still doesn't solve the mutual authentication problem, but it does limit the damage that would be done in such a phish scenario. Finally, I'm not sure we've really seen a good solution to the site authentication problem yet. Certainly moving away from user pass and other easily captured credentials is a good step. But it still doesn't help me know who I'm talking to and if or how much I should trust them. I don't think EV certs are going to solve that problem. I think we'll need to do something more.
Les mots clés de la revue de presse pour cet article : identity
Les videos sur SecuObs pour les mots clés : identity
Les éléments de la revue Twitter pour les mots clé : identity
Les derniers articles du site "Symantec Connect Security Response Billets" :
- What you need to know about election apps and your personal data
- Microsoft Patch Tuesday April 2016
- New Adobe Flash Player exploit used by Magnitude and Nuclear exploit kits
- Latest Intelligence for March 2016
- New Flash zero-day exploited by attackers in the wild
- Samsam may signal a new trend of targeted ransomware
- Four tax scams to watch out for this tax season
- Most prevalent Android ransomware in the West arrives in Japan
- Taiwan targeted with new cyberespionage back door Trojan
- Seven Iranians charged in relation to cyberattacks against US
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
