Security Now 217

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 217

Security Now 217: The Broken Browser Model

News & Errata

06:28 - 08:18

  • Chrome has been updated to version to fix a buffer overflow vulnerability

08:19 - 16:49

  • An update is available for Blackberry users who are using the Blackberry software 4.5 through 4.7 to fix a problem with null bytes in SSL certificates
  • The vulnerability still exists in Internet Explorer and any browsers relying on Microsoft's Crypto API
  • A fake PayPal certificate exploiting this vulnerability is now available on the internet
  • How the exploit works was discussed and the notes for this are available here

16:50 - 18:42

  • Last week "Gibraltar Stars" by Michael McCollum was released

18:43 - 26:24

  • Steve has seen the Sony Pocket E-Book reader (Model No. PRS-300) which sells for $199
  • He thinks it is still too big and doesn't fit in his pocket

Spinrite Story

Jeffrey Morse (Unknown) 26:25 - 30:34

A listeners mothers computer would not boot and gave an "Unmountable boot volume" error message. She had images on there that were not backed up so, he ran Spinrite on the drive and it was able to repair the drive enough to be able to copy the images off it.

The Broken Browser Model

32:20 -

35:20 - 41:00

  • Most people do not directly deal with SSL connections. E.g. They don't type https:// they just type and then https://www. is automatically added
  • The way a browser and a remote web server work is in a query/response model
  • Where the browser asks for a page in a connection to the remote server.
  • The remote server provides that page, which the browser then parses.
  • And more often than not you will require follow-on accesses back to that server, or maybe other servers, in order to fully assemble all the pieces of that finished page.
  • If you need to login you will get a form to fill in that should then be sent to the server over SSL
  • However it was noted that most users just assume the data will be sent over SSL and don't worry about the switching between SSL and normal HTTP

41:01 - 50:00

  • There is an attack that allows you to insert yourself onto an Ethernet network called a 'ARP spoofing attack'
  • ARP tables associates IP addresses with MAC addresses
  • It is very easy to insert yourself between a user and the gateway so you can tell the gateway a fake MAC address for a IP address
  • So the hacker can act as a man in the middle and see everything the user does
  • SSL prevents the hacker sitting in the middle from acquiring the SSL session key and so they can't read or modify SSL traffic

50:01 - 59:00

  • The attack works by:
    • You request a non secure page such as
    • You then go to the login page and the bad guy sitting in the middle intercepts the page when it is returned and removes the S from https then forwards it on to the user
    • Now when you send your login details the man in the middle intercepts it, records your login details, puts the S back and then forwards the page back to the server
  • The hacker could also replace the favicon for a site with a padlock to further trick users
  • To combat this attack you need the browser to insist that https is going to be used

59:00 - 01:25:57

  • It used to be expensive to set up and maintain an SSL connection
  • So much so you can buy hardware accelerators that implemented the public key handshake in hardware
  • The creator of this attack tried it out at a Wifi hotspot and during 24 hours he intercepted:
    • 114 logins to
    • 50 logins to Gmail
    • 42 to
    • 14 to
    • 13 to Hotmail
    • 9 to PayPal
    • 9 to LinkedIn
    • 3 to Facebook
    • 16 credit card numbers along with expiration dates and security codes
  • Steve recommends that you make sure the form you fill out is secure
  • One time passwords mean your login details can not be used again in the future but they can hijack your current session


Go To Meeting


Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.