Tuesday, March 4, 2014

Is this Bob's Pizza?

Even with the Man in the Middle attack, Alice still gets the pizza.
Alice calls Bob to order a pizza. Eve intercepts the phone call. "Bob's Pizza!" Eve writes down Alice's order and credit card. Then Eve calls Bob and orders Alice that pizza. The pizza shows up, and Alice has no idea that Eve has her credit card number.
That's called a 'man in the middle' attack. If you haven't updated your iPhone's software in the last week or so, upgrade to either 6.1.6 or 7.0.6 immediately.
There was a security hole in the routine that confirms that websites are who they say they are. Until you upgrade and close the hole, your computer won't be able to determine whether it's talking to Bob or to Eve.
While you're at it upgrade your Mac OS to 10.9.2. That update patches the same hole.
A quick look at the source code leaves it impossible to tell whether it's a case of a clumsy line of code "goto fail;" duplicated in just the wrong place or a perfectly deniable security backdoor for the NSA. They'd both look the same.
Connection authentication and secure communications over an open internet make innovations like online pizza ordering and midnight banking possible.
Watch out for the two-tier internet arrangements like the recent Comcast-Netflix deal. They move the internet towards a cable broadcast system rather than a neutral system where everyone is on the same playing field.
The next Netflix, Reddit or Facebook will have a hard time getting started without a neutral, trustworthy internet. You need to be able to know it's Bob's Pizza.

No comments:

Post a Comment