Google making the Web faster with protocol that reduces round trips

An FAQ and an in-depth design document provide more information than most people would want to know about QUIC. Besides running multiplexed connections over UDP, QUIC was “designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency,” the FAQ states.

via Google making the Web faster with protocol that reduces round trips | Ars Technica.

Sslstrip Tutorial

Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:

via Sslstrip Tutorial.

This tool assumes a man in the middle setup and that http traffic (port 80) gets redirected to a port sslstrip listens to on the attacker’s machine (port 10000 in this video).  Sslstrip then intercepts https traffic and returns to the victim http traffic.  The victim thinking his traffic is encrypted is  transmitting in plain text while sslstrip manages the ssl session with the victim’s destination (i.e. bank).  Since this attack is using http the victim does not need to validate an ssl certificate thus it’s transparent.  Detecting this attack is simple because the browser returns http in the displayed url instead of https so an alert victim should know.  But not everyone may notice this.

Critics slam SSL authority for minting certificate for impersonating sites

Critics slam SSL authority for minting certificate for impersonating sites.

Over the past year, security experts have proposed a variety of alternatives to the complex web of trust now used to manage the net’s ailing SSL system. Among them is the Convergence project devised by researcher Moxie Marlinspike. The system, which would have flagged counterfeit certificates used to snoop on some 300,000 Gmail users, has already won the qualified endorsement of security firm Qualys. Google, meanwhile, has said it has no plans to implement Convergence in its Chrome browser.