Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Microsoft

+ - Comodo hack may reshape browser security-> 1

Submitted by suraj.sun
suraj.sun (1348507) writes "Major browser makers are beginning to revisit how they handle Web authentication after last month's breach that allowed a hacker to impersonate sites including Google, Yahoo, and Skype. Currently, everyone from the Tunisian government to a wireless carrier in the United Arab Emirates that implanted spyware on customers' BlackBerry devices and scores of German colleges are trusted to issue digital certificates for the largest and most popular sites on the Internet.

Microsoft's manager for trustworthy computing, Bruce Cowper, told CNET that the company is "investigating mechanisms to help better secure" certificate authorities, and Ben Laurie, a member of Google's security team, said the Mountain View, Calif., company is "thinking" about ways to upgrade Chrome to highlight possibly fraudulent certificates that "should be treated with suspicion."

Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation who has compiled a database of public Web certificates, says one way to improve security is to allow each Web site to announce what certificate provider it's using.

CNET News: http://news.cnet.com/8301-31921_3-20050255-281.html"

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Comodo hack may reshape browser security

Comments Filter:
  • Do away with greedy certificate providers like VeriSign altogether.
    Store a hash of the certificate in DNS and use DNSSEC to ensure the hash (and the IP address of the server) cant be tampered with.

    Certificates under this model wouldn't even include any identifying information (e.g. the company name of the company who owns the certificate).
    All that SSL/DNSSEC/etc should be doing is A.Making sure that you are talking to the correct computer for the domain you are trying to access and not another computer wher

"An organization dries up if you don't challenge it with growth." -- Mark Shepherd, former President and CEO of Texas Instruments

Working...