« Britain Too Dangerous? | Main | AI vs Minsky »
February 24, 2003
Microslosh Strikes Again
The whole world (or at least the whole internet) is running around patching SSL due to a recent vulnerability which was announced last week in Switzerland. The truth of the matter is somewhat more interesting that the original reports suggested. The actual vulnerability is not in SSL itself but in the way that SSL is used.....
Imagine a locksmith who makes a great new security lock for front doors. Now you get a builder who constructs entranceways to your house using this locksmith's products. As a consumer, you just want to be able to access your house. This builder does this by arranging it so that you put your key in the lock to open the door and then go inside BUT your key stays in the door until you leave the house. You should have picked a smarter builder :wink
Now the locksmith is OpenSSL, the builder in question is the Microslosh corporation and the entranceway product is called Outlook Express. When you start up a connection (enter your house) the SSL key is used to establish a connection. Outlook Express continues to send the key to the server every time if checks for updates. It does not close and reopen the connection as required and it does not make full use of the keys. It sends a simple data packet (including the key) at least once every five minutes.
Like I said above, get a better builder. And don't listen to promises of a secure future, this builder has been promising to make things secure, safe and bugfree since (at least) 1995 [Bill Gates claims MS Software is bugfree in Risks Digest] and still have not delivered.
Posted by Ozguru at February 24, 2003 12:00 PM
Trackback Pings
TrackBack URL for this entry:
http://mu.nu/mt/mt-tb.cgi/1643
Listed below are links to weblogs that reference Microslosh Strikes Again:
» Retrospective - 2003/02 from G'day Mate (Mk III)
I have often wandered through the archives of a blog somewhere by clicking on next/prev post but it has often been a frustrating experience because there is usually little in the way of a map to guide the unfortunate traveller. For that... [Read More]
Tracked on April 4, 2005 01:36 AM
» Retrospective - 2003/02 from G'Day Mate MkII
I have often wandered through the archives of a blog somewhere by clicking on next/prev post but it has often been a frustrating experience because there is usually little in the way of a map to guide the unfortunate traveller. For that... [Read More]
Tracked on June 8, 2005 12:05 AM