Hacker Rattles Internet Security Circles - NYTimes.com

These kinds of articles come out all the time and most of us ignore them. Often it’s because there isn’t much we can do in order to protect ourselves from things like this, or we don’t really know how.

Today, I’ll break down what the average computer user really needs to know about this hack, what it can do, and what they need to do about it.

For those who don’t like to read long posts, the short of it:

Update your OS and update your browser to the latest. All major browsers and OSes have been updated to fix this hack. I’ll be posting instructions later on how to do this with all versions of Windows that I support as well as OS X.

For the person wondering what this is all about:

What exactly is SSL/TOS?

It’s simple really, you use SSL whenever you go to a Web site with https: in the url. You usually see a padlock in your browser and you get feel all warm inside knowing that you are safe.

How does SSL work?

There are these things called Root Certificate Authorities. We trust them and they vouch that the Web site you are visiting is who they say they are. There is a lot of math and cryptography behind it all but that’s the brass tacks if you will.

What happened here?

A hacker (or hackers) broke into a Root Certificate Authority named Diginotar, a Dutch company, and made them vouch that anyone is, for example, google.com. There were hundreds of certificates issued (the way we know that a Root Certificate Authority has vouched for a site, one per site).

How was this fixed?

All browsers and OSes have revoked trusting Diginotar. So we won’t trust anything they’ve vouched for anymore. You’ll get a broken padlock or an error page if you visited a site using these bad certificates.

How could this have been used against me?

This particular hack required someone in the position we call Man-in-the-Middle. Which means at your ISP or maybe a state firewall (Great FireWall of China, or Iran). There was pretty little to worry about in the United States if you trust your ISP isn’t hacking.

Doesn’t that mean that the SSL model is flawed?

Yes, if those at the top of this particular pyramid is compromised then we have no real recourse. This is a grim picture, but there are good people looking out at these situations and also trying to come up with a better solution. These hacks are rare and as long as we keep our software up to date we should’t have to worry.

This was an overly simplified explanation of SSL and this hack in particular. I have tried to be correct in the overall if not in the particulars as that would make it harder to understand. Just remember to update your software regularly and you’ll be fine. If you need help with any software updates, I’m always a phone call away.

7 notes

  1. dmangus posted this