Posted by sez_me_man on August 22, 2008 at 5:14pm
Security Researcher Defends Plan To Release Gmail Hacking Tool
The software could affect many SSL-secured Web sites, including Amazon, Facebook, Gmail, addons.mozilla.org, most Drupal sites, and many online merchants and banks.
http://www.informationweek.com/news/security/vulnerabilities/showArticle...
Comments
Interesting - but kinda lame to pick on Drupal
Seems weird they'd pick on Drupal by name.
The main idea of the flaw seems to be when a user switches from a secure mode to an insecure mode (sometimes only used during login) AND browsing wireless (i.e., in the range of someone else hacking on the same LAN).
SSL simply is not a part of Drupal. Therefore, not a feature of Drupal itself - but rather any website that has an architecture that uses SSL just for login.
or did I miss something?
--
mike stewart { twitter: @MediaDoneRight | IRC nick: mike stewart }
So if SSL is not secure using a wireless LAN
Is there a fix for the exploit? Is it even in development? What do we need to do if we want to protect customers on a Drupal hosted on-line store?
I think he chose drupal by
I think he chose drupal by name because the person who made the tool uses drupal for his blog.
There are a few discussions
There are a few discussions about this already:
http://drupal.org/node/170310
http://heine.familiedeelstra.com/security-theater-dail-ssl-for-login
http://robinmonks.com/2008/08/21/is-informationweek-right-are-most-all-d...
This has nothing to do with wireless networks, by the way. It's about cookie hijacking, which affects websites that use SSL for user login authentication (like Drupal sites).