Google researchers say they've devised a way to significantly reduce the time it takes websites to establish encrypted connections with end-user browsers, a breakthrough that could make it less painful for many services to offer the security feature. ....The finding should come as welcome news to those concerned about online privacy. With the notable exceptions of Twitter, Facebook, and a handful of Google services, many websites send the vast majority of traffic over unencrypted channels, making it easy for governments, administrators, and Wi-Fi hotspot providers to snoop or even modify potentially sensitive communications while in transit. Companies such as eBay have said it's too costly to offer always-on encryption.
The Firesheep extension introduced last year for the Firefox browser drove home just how menacing the risk of unencrypted websites can be.
Is this a case of, NIST taketh away what Google granteth?
Posted by iang at May 20, 2011 12:25 PM | TrackBackIf you use Gmail, eBay, MySpace, or any one of dozens of other web-based services, the United States Computer Emergency Readiness Team wants you to know you're vulnerable to a simple attack that could give an attacker complete control over your account. ....
And eBay spokesman Hani Durzy said: "This vulnerability is a well known weakness within the HTTP protocol itself. If the user logs out, it will clear the session. Beyond that, the only thing that can be done about it would be to turn the entire site into SSL - which would be prohibitive on several fronts, including usability." ...
It's also true that cloaking an entire site behind SSL would require significantly more processing power and would also slow many users' browsing experience by a considerable measure. ....
If you're waiting for a fix, we recommend you pack a very large lunch. And beyond that, where possible you might switch to Google, which has already gone a long way to closing the hole.
As the only web-based email service we know of that offers a start-to-finish SSL session, the service is among the most resilient to cookie hijacking. Unfortunately, Gmail doesn't enable persistent SSL by default, and has done little to educate its users about its benefits.
The company also offers SSL for its calendar, search history, documents and reader services, and a Google spokesman said security engineers "are actively working to expand capacity to enable HTTPS encryption for all users."
In the meantime, a Firefox extension called CustomizeGoogle provides a simple way to ensure that all sessions with the above-mentioned Google services are automatically protected by SSL. ®
Posted by: A US CERT reminder: The net is an insecure place World's biggest websites no match for decade-old web bug at May 21, 2011 05:18 AMSSL is slow. Multiple redundant round trips.
This is a result of layering. Bad idea.
Posted by: James A Donald at May 22, 2011 03:34 AMHave you checked out SSLShader? It uses a reverse proxy and GPU acceleration to significantly increase SSL throughput for web sites. It was devised as a cheaper alternative to expensive crypto accelerators. If more companies knew about these things, they might find it cost-effective to do always-on SSL.
SSLShader
http://shader.kaist.edu/sslshader/