EFF says that thousands of SSL certificates 'offer effectively no security'
The Electronic Frontier Foundation's SSL Observatory has found that thousands of SSL certificates used to authenticate HTTPS sites are effectively useless, owing to weak algorithms used to generate the random numbers that are needed for encryption. By analyzing each certificate, the researchers found that one in 500 certificates are currently insecure, meaning that tens of thousands of sites across the web are vulnerable to eavesdroppers. To find this, the Observatory downloaded every available SSL certificate on the IPv4 internet, before analyzing the cryptographic methods behind it.
Similar research has uncovered mathematical flaws in the past, but the application of a new algorithm has found that many certificates share the same prime factors, which makes them far easier to decrypt. The consequences of these weak certificates are serious — according to the EFF, "In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server." The Observatory says that it has already alerted website operators, certificate authorities, and browser vendors, but that until the random number generation bugs are squashed, this vulnerability will remain.
There are 5 Comments. Load 'Em Up. Show speed reading tips and settings
Shortcuts to mastering the comment thread. Use wisely.
C - Next Comment
X - Mark as Read
R - Reply
Z - Mark Read & Next
Shift + C - Previous
Shift + A - Mark All Read
Comment Settings
Live comment alert: Hide it!
Comments for this post are closed.