Subscribe to web2feel.com
Subscribe to web2feel.com

All Top Banking

Microsoft: Attackers Can Steal Card Numbers from HTTPS Servers...

Posted by John B. Frank Tuesday, August 11, 2009


HomeATM isn't the only company telling you that Https = HttBS.  Even Microsoft says so.  And it's ALL browsers that are weak.  That's why HomeATM and the PIN Payments Blog has spent such an inordinate amount of time trying to get across our point that no website is safe and that transactions MUST be done OUTSIDE the browser space. 


In what would provide the perfect segue for yet another dissertation on the "Don't Type" vs. "Swipe" mantra, I bring you this from Microsoft's research department...

Security researchers at Microsoft have found a way to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme.

During a research project "Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments(.pdf) concluded earlier this year, the Microsoft Research team discovered a set of vulnerabilities exploitable by a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer.

Here’s the gist of the problem, as explained by the research team:

In many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers — they affect all major browsers and a large number of websites.



According to a SecurityFocus advisory, attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how sites are rendered to the user. Other attacks are also possible.

Affected browsers include Microsoft’s Internet Explorer 8, Mozilla Firefox, Google Chrome, Apple Safari and Opera.  

Originally, it was believed that this issue only affected Mozilla’s browsers but the advisory was update to reflect that the issue affects multiple browsers, not just Mozilla products.



Related articles by Zemanta

Reblog this post [with Zemanta]

edit post

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio