Editor's Note: I received a couple of emails regarding my post: Comparing Apples to...Let Just Say "The Real Deal" saying I was wrong and that transactions conducted by typing your credit card number into a mobile phone, using SSL is safe.
Here's one quote from an email: "SSL and other mechanisms are available to iPhone developers to do this right. There is nothing fundamentally insecure about entering a credit card number into a browser with SSL enabled"
Oh? Let me remind you that SSL was hacked back in February. Guess he must have been out sick that day...
Hacker pokes new hole in secure sockets layer • The Register
Here's one quote from an email: "SSL and other mechanisms are available to iPhone developers to do this right. There is nothing fundamentally insecure about entering a credit card number into a browser with SSL enabled"
Oh? Let me remind you that SSL was hacked back in February. Guess he must have been out sick that day...
Hacker pokes new hole in secure sockets layer • The Register
Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not. Unveiled at Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical.
It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.
The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.
"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."Editor's Question: Still think it's safe to enter
your credit card number into a mobile phone?
Then read "Related Articles" below and maybe you'll "Think Different!"