Security Now 262

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 262

Security Now 262: Strict Transport Security

News & Errata

4:22 - 5:13

  • Apple has updated iOS to v4.0.2 to fix the PDF font parsing vulnerability

5:14 - 5:46

  • Opera has been updated from v10.60 to v10.61
  • They fixed a heap overflow flaw in HTML 5 rendering

5:47 - 9:40

  • India has told RIM they need access to Blackberrys communications channels

9:41 - 13:20

  • There are reports that the first smartphone trojan has been dectected
  • It is called "TrojanSMS"
  • It makes calls and sends messages from the victims phone

01:01:51 - 01:04:22

  • If you use one of the beta versions of Chrome, Chrome bug 52096 breaks the LastPass hashing code

Spinrite Story

13:21 - 18:17 Ryan Wright from Artisan Technology [1] (Portland, OR)

Spinrite saved 4 school days at a Saint Louis school with its handy resume feature which lets you stop the recovery process and resume from exactly where you left off (with the accuracy of four decimal places).

Strict Transport Security

22:07 - 01:01:50

  • The nature of the browser-server relationship is transactional
  • The browser makes a query to a remote server which returns a response
  • This creates a bunch of problems when we want to have a secure relationship with the server at the other end
  • When we want to have a persistent logon relationship with a remote server we use cookies
  • Everytime we contact the server we send them our cookie to identify ourselves
  • You cant use IP addresses to uniquely identify people as people may be using NAT routers meaning multiple people at one IP address could be accessing the same site
  • Cookies are not 100% secure however
  • E.g. until recently Google used a secure connection to log you into GMAIL but then after you were logged in it switched you back to a normal connection
  • This means that a bad guy could steal your cookie and impersonate you
  • You can mark cookies as secure which means the browser will never send the cookie to the server unless you are using SSL
  • However you could be the victim of a man in the middle attack
  • If this happened and you clicked past a warning from a website saying the certificate was self signed / expired / not valid
  • Then a bad guy could still steal your cookie
  • To prevent this Strict Transport Security (STS) was born
  • A website which supports STS can tell your browser to NEVER connect to it over anything but SSL
  • This option is set the first time you connect to the site over SSL
  • If there is ever any problem with a expired / self signed / invalid certificate you will not be able to visit the website the browser wont even ask you it just wont let you connect
  • When this STS option is set by a website they also specify how long this condition should apply
  • This is not simple for every website to implement however as they have to serve everything over SSL and many sites do not have SSL certificates for things like image servers
  • The latest version of Google Chrome supports STS natively as does Firefox 4
  • NoScript under Firefox 3 enforces STS
  • The security of CSS and Shockwave flash files is not enforced by the browsers
  • So if a CSS or shockwave file was on a secure page but come from a unsecure source the browser wont alert the user
  • This will not happen if STS is enforced



  • Offer Code: securitynow
  • Carb #3
  • Ad Times: 0:46-1:01 and 18:17-21:27

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.