Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: dayglored; Excellence; Swordmaker
Looks to me like it's limited to Google/Android devices, Apple iOS devices, and Safari on OS X.

Firefox on OS X appears okay, as do Firefox and IE on Win7.

I don't have Google Chrome or Safari on Windows so I don't know about those.

10 posted on 03/03/2015 3:45:07 PM PST by dayglored (Listen, strange women lying in ponds distributing swords is...sounding pretty good about now.)
[ Post Reply | Private Reply | To 9 | View Replies ]

To: dayglored
Looks to me like it's limited to Google/Android devices, Apple iOS devices, and Safari on OS X.

Firefox on OS X appears okay, as do Firefox and IE on Win7.

Not quite, or for just mobile hand held devices. The problem is in the way the websites can force any browser to use the encryption of choice on the website. . . and downgrade it. The reason it may be more dangerous to mobile devices is because it requires a "man-in-the-middle" interception attack to be utilized and they are more likely to be in a position to be exposed to such an attack such as in a coffee shop, hotel, airport, etc. . . but so are laptops from any platform.

This would allow hackers to conduct what experts call a “man-in-the-middle” attack to make seemingly encrypted traffic easy to read. Such attacks can be launched by anybody who has access to Internet traffic, including governments, employers, Internet providers and coffee shops or airports that offer wifi hotspots.

Apple's Safari in both mobile iOS and desktop OS X versions will notify users if the "secure" website does not have a proper certificate. . . or does not have the correct URL, i.e. is a Man-in-the-middle exploit, so I cannot see this would work with Safari either. . . unless the user told Safari to go ahead and connect, despite the warning. Yes, the browser probably would devolve down to the lower grade encryption, but would it recognize the secure HTTPS website as being authentic, which is required FIRST for the man-in-the-middle attack to work.

The alternative is for the secure, authentic website to be deliberately malicious in the first place and untrustworthy, designed to hack into the device. . . and that would work. THAT does need to be fixed so the browsers will never step down. However, I notice that the 512 bit key of this antique system still requires around seven hours to break. . . and that means the user would have to remain connected to the malicious website for more than seven hours for the hacker to gain access and get any information. How many of us stay on any website except perhaps FreeRepublic for more then seven hours at a time?

11 posted on 03/03/2015 4:45:59 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contnue...)
[ Post Reply | Private Reply | To 10 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson