A short post of things I found in my Google Reader:
- A new challenge from the guys over at SANS: The Twelve Days of Christmas Packet Challenge
- Also there are some vulnerabilities there: All I want for christmas are my exploits.... - my thoughts: you have to be insane to put your DB server on a public network.
- aSSL - Ajax Secure Service Layer - nice technological demo BUT SSL is long lived standard verified over and over. Also this fails if the user has no javascript capabilities (hint: think mobile phones, screen readers or search engine crawlers). Don't use it.
- The history of the FPS. A pictorial.
Hi Cd-MaN, I respect your opinion about aSSL, but all the Ajax world is based on Javascript. If a user disables Javascript, or if its device doesn’t support Javascript, all Ajax applications are useless. [wink]
ReplyDeleteAbout SSL, you are right, but even SSL was once a new project before it became a standard.
About being useless, I disagree. [1] aSSL is useful in certain contexts and [2] no new ideas are ever useless.
A possible security concern with aSSL:
ReplyDeleteIf I understand it correctly, the encryption routines are sent unauthenticated via http get. Couldnt a MITM modify the javascript encryption routines (ie weaken them) before they reach the client? Without authentication of the scripts, the security of this scheme appears to be greatly weakened. Is this type of attack accounted for in aSSL?
About aSSL:
ReplyDeleteWhere is the authentication?
Who cares if you have bullet proof encryption if all it takes is a simple man in the middle!
"aSSL is useful in certain contexts and " -> aSSL is useless
"but all the Ajax world is based on Javascript" -> Sounds like we have another web 2.0 bandwagen wanna be!
"no new ideas are ever useless." -> Hey I mean I use truecrypt's rot13 module to encrypt all my porn. (N.B. TC does not have rot13)
"all Ajax applications are useless. " -> I think you need to relise that the word degadeable is more than just a web 2.0 buzz word!