tiffanydanica - Slashdot User

Submission + - Mozilla Asks All CAs to Audit Security Systems (threatpost.com)

Submitted by Trailrunner7 on Thursday September 08, 2011 @02:26PM

Trailrunner7 writes: Already having revoked trust in all of the root certificates issued by DigiNotar, Mozilla is taking steps to avoid having to repeat that process with any other certificate authority trusted by Firefox, asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates.

Mozilla officials have notified all of the CAs involved in the organization's trusted root program for Firefox that they need to perform the audits and other required actions within the next eight days and send the results to Mozilla. The message, also posted to the Mozilla developer security policy group on Google, sends a clear message that Mozilla officials have little interest in seeing a rerun of the DigiNotar episode with another certificate authority.

Submission + - Marlinspike's solution to the SSL CA problem (convergence.io)

Submitted by Trevelyan on Thursday September 08, 2011 @10:29AM

Trevelyan writes: In his Blackhat talk on the past and future of SSL (you can find the video and slide if you really try, or just buy them from BH) Moxie Marlinspike explains the problems of SSL today, and the history of how it came to be so. He then goes on to not only propose a soution, but he's implemented it as well: Convergence, it'll let you turn off all those untrustable CAs in you browser and still safely use HTTPS. It even works with self-signed certificates. You still need to trust someone, but not forever like CAs. The system has 'Notaries', which you can ask anonymously for their view on a certificates authenticity. You can pool Notaries for a consensus, and add/remove them at any time.

Submission + - Automatic spelling corrections on Github

Submitted by Anonymous Coward on Sunday August 28, 2011 @06:35PM

An anonymous reader writes: Github projects may be seeing a different kind of contributor than normal, a small little bot is now crawling projects contribution spelling corrections. It builds on top the github API and existing documentation style checking code. Future directions for the project look beyond spelling mistakes and at automated bug fixing on a large scale.

Your Browser History Is Showing 174

Posted by samzenpus on Thursday July 02, 2009 @10:03AM from the wasted-days-and-wasted-art dept.

tiffanydanica writes "For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit. Web2.0collage is showing just how easy it is (with code!) for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing."

Submission + - Your browser history is showing

Submitted by tiffanydanica on Wednesday July 01, 2009 @11:22PM

tiffanydanica writes: For a lot of us our browser history is something we consider private, or at least not something we want to expose to every website we visit.Web2.0collage is showing just how easy it is (with code!)for sites to determine what sites you visit. When you visit the site it sniffs your browser history, and creates a collage of the (safe for work) sites that you visit. It is an interesting application of potentially scary technology (imagine a job application site using this to screen candidates). You can jump right into having your history sniffed if you so desire. While the collages are cool on their own merit, they also serve as an illustration of the privacy implications of browser history sniffing.

Submission + - Yahoo! exposes auth info via man-in-the-middle

Submitted by tiffanydanica on Friday November 21, 2008 @05:22PM

tiffanydanica writes: For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a miss-match occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems & it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface.

Submission + - Tapping the iPhone, brought to you by Yahoo!

Submitted by tdalek on Wednesday October 08, 2008 @06:59PM

tdalek writes: You may remember the recent Slashdot article about Yahoo! Zimbra Desktop exposing authentication information. It turns out that more that other Yahoo! applications are affected, although to a lesser degree. With Yahoo!'s desktop program, it transmitted the usernames and passwords in plaintext. Yahoo! is one of the lucky few default e-mail providers on the iPhone; sadly it looks like Apple didn't insist on encryption from Yahoo! On the iPhone, authentication is encrypted, but you can see all the messages sent and received in plaintext. Incoming messages are downloaded in plaintext over the standard imap port. Outgoing mail is a bit harder to find, it is apparently sent by an HTTP post request wrapped up inside a bundle of XML, but security through obscurity isn't very effective. If you have Yahoo! mail on your iPhone (and since its one of the default accounts, I'm assuming quite a few do), now would be a good time to forward it elsewhere for the time being, and using that account instead.

Comment poor Yahoo (Score 1) 1

by tiffanydanica on Wednesday October 08, 2008 @02:05PM (#25302803) Attached to: iPhone exposes emails in plaintext for Yahoo users

the mail team must not like slashdot very much anymore :)

Submission + - Yahoo! exposes user passwords (uwaterloo.ca) 3

Submitted by kingofthehobos on Monday September 29, 2008 @11:00PM

kingofthehobos writes: In a move hearkening back to the days of telnet, Yahoo!'s newest addition to there mail system exposes the full usernames & passwords over the wire (or wireless) in plaintext. Both CNET news & Wired's Webmonkey are reporting on the story (although in true Wired fashion the individual is called a "hacker"). So, if you know anyone who might have installed Yahoo! Zimbra Desktop getting them to switch back to the web interface and change there password (until the issues are fixed) would be ++good.

Slashdot Top Deals