Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

A View from Erica Naone

New Flaws Revealed In A Creaking Internet

Researchers at Black Hat reveal flaws in the infrastructure designed to keep sensitive information secure.

  • July 31, 2009

In separate presentations at the Black Hat computer security conference in Las Vegas this week, two researchers revealed flaws with the system that protects credit card and password transactions online.

The Secure Socket Layer (SSL) protocol implements the padlock that appears in a browser’s address bar–an outward symbol that the underlying communication between browser and server is secure and that the Web page is what it claims to be.

Dan Kaminsky and Moxie Marlinspike separately demonstrated a number of problems with SSL, some immediate and some that could become an issue within the next 18 months. Some of these issues are caused by inconsistencies in how SSL is implemented in the browser compared with how SSL is implemented by the certificate authorities that form the backbone of the system.

Rumblings about this infrastructure have been going on for some time–late last year, researchers Alexander Sotirov and Marc Stevens showed that an outdated algorithm could undermine the system. Later, Marlinspike released a tool that an attacker could use to capture supposedly secure information.

Later today at Black Hat, Sotirov plans to show further problems with “extended validation” SSL certificates, which are supposed to provide a more secure version of the system.

Last year at Black Hat, Kaminsky revealed a major flaw affecting a vital piece of Internet infrastructure that matches website addresses to the servers that hosts their pages. Kaminsky said in a press conference yesterday that the “creaking” of the SSL infrastructure is a sign that it’s time to look for a new solution. He suggests DNSSEC, a protocol meant to secure the system for looking up website addresses. Kaminsky believes that it could be designed to guarantee a page’s identity at the same time it links a user to a requested server. Other researchers, however, including some of Kaminsky’s collaborators, don’t agree that DNSSEC is the solution, and think there are ways to bolster SSL without discarding it.

Regardless of how people decide to fix the problems revealed at Black Hat, the takeaway is that much of the infrastructure supporting the Internet is straining with the weight of unintended responsibility.

AI and robotics are changing the future of work.  Learn from the humans leading the way at EmTech Next 2019.

Register now
Want more award-winning journalism? Subscribe to MIT Technology Review.
  • Print + All Access Digital {! insider.prices.print_digital !}* Best Value

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivered daily

  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivered daily

  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivered daily

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.