In Analyzing Forged SSL Certificates in the Wild [PDF] a paper authored by researchers at CMU and Facebook, we learn that "a small but significant percentage" of HTTPS connections are made using forged certificates generated by adware and malware. Disturbingly, some of this malware may be working by attacking anti-virus software and stealing its keys, and the authors also speculate that anti-virus authors may be giving their keys out to governments in order to allow police to carry out man-in-the-middle attacks.
The researchers used a technique to detect forged-cert connections that has post-Heartbleed applications, since it would allow sites to discover whether their visitors are being man-in-the-middled through keys stolen before Heartbleed was widely known. This all points to a larger problem with HTTPS, which has been under increased scrutiny since Heartbleed, but whose defects were well understood within the security community for a long time. I co-wrote this editorial for Nature with Ben Laurie in 2012 describing a system called "Certificate Transparency" that makes it easier to audit and remediate problems with SSL certificates, which Google is now adding to Chrome.
"One should be wary of professional attackers that might be capable of stealing the private key of the signing certificate from antivirus vendors, which may essentially allow them to spy on the antivirus users (since the antivirus root certificate would be trusted by the client)," the researchers explained. "Hypothetically, governments could also compel antivirus vendors to hand over their signing keys."
More troubling, of course, was the discovery of forged certificates issued by malware and adware programs for purposes of ferreting log-in credentials out of, and injecting banner ads into, encrypted Web traffic. Because the certificates were installed by software that made administer-level changes to the end-user computers, they likely generated few if any error warnings when they were presented.
Significant portion of HTTPS Web connections made by forged certificates [Dan Goodin/Ars Technica]
The winner-take-all economy has turned virtually every industry into a cartel (four record labels, two cable companies, two phone operating systems, etc) who operate without fear of competition regulation, allowing representatives of a few companies to gather in closed-door meetings to cook up operating agreements that end up having the force of law.
Google is downranking websites that use pejorative, racist terms like n*gger, so the awful people of 4chan and /pol/ are replacing that word with “google.”
It’s been more than 20 years since the publication of Making Book, Teresa Nielsen Hayden’s collection of essays, mostly drawn from the pre-online days of fanzines and letters columns; this year, in honor of Teresa’s stint as Fan Guest of Honor at Midamericon II, the 74th World Science Fiction Convention, NESFA Press has published a second volume: Making Conversation, a collection of essays drawn from the online world on subjects as varied as moderation and trolling, cooking, hamster-rearing, fanfic, narcolepsy, the engineering marvels of the IBM Selectric, and more.
Amazon’s Audible is hands-down the most popular place to find audiobooks. With its library of over 180,000 books, Audible has the biggest audiobook selection in the world, and a membership gets you a free book each month. You can sync Audible across multiple devices, so you’ll never lose your spot whether you’re on your computer or your phone.This […]
#1. A-Audio Legacy Noise Cancelling Headphones with 3-Stage Technology The A-Audio Legacy Headphones are the Boing Boing Store’s best seller this month, and it’s easy to see why. With 40mm drivers, powerful circuitry, and memory foam padded circumaural ear cups, these are clearly super high-quality headphones. Plus, the patented 3-Stage Technology lets you toggle between passive […]
Vaping is getting more mainstream by the day, which means there’s been an influx of quality yet affordable vaporizers on the market. We’re particularly excited about the APX Wax Vaporizer Kit, which is an easy-to-use, high-quality vape that works with both dry herbs and waxy concentrates.If you’re a beginner trying to get into vaping, the APX […]