Facebook opens up Internet.org but there’s no support for HTTPS
Facebook has opened the internet up to users in India and other countries but says it won’t immediately allow HTTPS.
Naked Security – Sophos
Facebook has opened the internet up to users in India and other countries but says it won’t immediately allow HTTPS.
Naked Security – Sophos
Attackers can potentially snoop on the encrypted traffic of over 25,000 iOS applications due to a vulnerability in a popular open-source networking library.
The vulnerability stems from a failure to validate the domain names of digital certificates in AFNetworking, a library used by a large number of iOS and Mac OS X app developers to implement Web communications—including those over HTTPS (HTTP with SSL/TLS encryption).
The flaw allows attackers in a position to intercept HTTPS traffic between a vulnerable application and a Web service to decrypt it by presenting the application with a digital certificate for a different domain name. Such man-in-the-middle attacks can be launched over insecure wireless networks, by hacking into routers or through other methods.
To read this article in full or to leave a comment, please click here
At least 25,000 iOS apps available in Apple’s App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned.
As was the case with a separate HTTPS vulnerability reported earlier this week that affected 1,500 iOS apps, the bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that’s trivial for hackers to monitor or modify, even when it’s protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).
“The result is an attacker with any valid certificate can eavesdrop on or modify an SSL session initiated by an app with this flawed library,” Nate Lawson, the founder of security analytics startup SourceDNA, told Ars. “The flaw is that the domain name is not checked in the cert, even though the cert is checked to be sure it was issued by a valid CA. For example, I can pretend to be ‘microsoft.com’ just by presenting a valid cert for ‘sourcedna.com.'”
Read 8 remaining paragraphs | Comments
Android holed again, JAY Z and "Magna Carta", Tumblr and HTTPS – 60 Sec …
Naked Security Android security fail, Cryptocat tartan, Nintendo crack – 60 Sec Security [VIDEO] · Google rolls out fix for Android security vulnerability · Google rolls out silent fix for Android security vulnerability · Fake Instagram app infects Android devices … |