Innovation is a lot like new, except it's got more letters in it
|
|
|
Black Hat: Ecommerce is broken says Black Hat founder
ECOMMERCE'S SECURE SOCKET LAYER (SSL) encryption is broken, the founder of the Black Hat conference told delegates at this year's event.
Speaking at Black Hat 2010's keynote session on the first day the conference founder Jeff Moss was scathing about the current state of Internet security for businesses and consumers.
"Thirteen years down the line since the first conference and we're still not able to conduct business online," he said. "SSL is broken, and while it's great to see things are going better now it's a long way down the line."
However, security specialist Dan Kaminsky disagreed, saying there is still considerable usefulness in SSL.
While the situation isn't perfect the US government is working to sort out problems and make cyberspace safe for citizens, Jane Holl Lute, US Deputy Secretary of the Department of Homeland Security (DHS), told delegates in her keynote. One of the key remits for the DHS was securing cyberspace she said, "Wars end lives, but cyberspace destroys them".
The speed of technological advancement is such that the tools that are now available are almost beyond our ability to use them Holl Lute told delegates, although she doubted that will be true in the long term.
She said that a comprehensive cybersecurity exercise will be carried out this Autumn and the DHS is gearing up for major moves to protect the online infrastructure of the US and the world. µ
Share this:
Share
What's specifically wrong with e-commerce, then? I mean, do we have to not tell Amazon our credit card number? What?
If you mean that payment systems have a lot of room for improvement - I agree.
The Cryptome site speculates that the Conficker worm will be activated to provide just the pretext DHS needs to seize control of the net.
@ Robert Carnegie: I'm informed only by chance reading; I think what's referred to is the SSL layer is currently broken by man-in-the-middle attacks using false security certificates, perhaps obtained by gov't order. But since M$ accepts 264 Certificate Authorities, there's plenty of opportunity for private parties to obtain a false one too. So you can't trust the yellow field of your browser address (particularly not IE; Firefox uses other CAs); there's no *real* security when you give your #'s over the net. -- Where this differs from *my* distrust of these new-fangled devil's inventions of which no good will ever come, I don't know, but apparently they're now exercised over what I always assumed was the case.