SSL is not secure anymore - Serious vulnerability identified in v3 & previous versions. A serious vulnerability in SSL v3 and previous versions of SSL protocol has been identified and made public on November 4, 2009.
This makes every SSL site vulnerable to serious man-in-middle (MITM) attacks related to renegotiation. This vulnerability is due to the design of "session resumption" feature of SSL protocol.Who Gets affected? The impact of this issue is potentially significant. below are some points extracted from issue details, This attack has been demonstrated against recent versions of Apache httpd and Microsoft IIS, with a variety of clients. What is a Man-in-the-middle (MITM) Attack? A man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.
Below is a simple example of a successful MITM attack in simple terms (extracted from Wikipedia) What is the Solution/Mitigation? The First Few Milliseconds of an HTTPS Connection. What happens when one clicks on "Proceed to Checkout" on a website after browsing through their offerings?
This is an analysis of the first milliseconds when an HTTPS connection with Amazon is established. A new page is loaded when proceeding to checkout: In the 220 milliseconds that flew by, a lot of interesting stuff happened to make Firefox change the address bar color and put a lock in the lower right corner. With the help of Wireshark, my favorite network tool, and a slightly modified debug build of Firefox, we can see exactly what's going on. By agreement of RFC 2818, Firefox knew that "https" meant it should connect to port 443 at Amazon.com: Most people associate HTTPS with SSL (Secure Sockets Layer) which was created by Netscape in the mid 90's.
Client Hello TLS wraps all traffic in "records" of different types. The next two bytes are 0x0301 which indicate that this is a version 3.1 record which shows that TLS 1.0 is essentially SSL 3.1. Server Hello Checking out the Certificate. Announcing Google Maps API v3. Since our last major release of the JavaScript Maps API three years ago we've been delivering feature requests that all of you have been asking for month over month.
With over 150,000 active websites implementing it, the Maps API has become one of the most popular and trusted developer tools on the web. We're in the process of giving the Maps API a major facelift and today we're providing you a look at V3 in our Google Code Labs. The primary motivation behind this new version was speed, especially for rendering maps on mobile browsers.
Last year, several of us starting thinking about the possibility of getting the JavaScript Maps API to work on mobile devices. With the advent of powerful, fully functional browsers on devices such as the iPhone and the Android-based G1, why couldn't we bring the flexibility and reach of modern web development to people who wanted to write maps mashups for mobile phones?
What's changed in v3? What does the API look like? Understand the CROSS SITE SCRIPTING Vulnerability. Why Banked Blood Goes Bad.