Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    Copyright
    Foreword
    Preface
    Ch. 1. The Security Industry Is Broken
    Ch. 2. Security: Nobody Cares!
    Ch. 3. It's Easier to Get "0wned" Than You Think
    Ch. 4. It's Good to Be Bad
    Ch. 5. Test of a Good Security Product: Would I Use It?
    Ch. 6. Why Microsoft's Free AV Won't Matter
    Ch. 7. Google Is Evil
    Ch. 8. Why Most AV Doesn't Work (Well)
    Ch. 9. Why AV Is Often Slow
    Ch. 10. Four Minutes to Infection?
    Ch. 11. Personal Firewall Problems
    Ch. 12. Call It "Antivirus"
    Ch. 13. Why Most People Shouldn't Run Intrusion Prevention Systems
    Ch. 14. Problems with Host Intrusion Prevention
    Ch. 15. Plenty of Phish in the Sea
    Ch. 16. The Cult of Schneier
    Ch. 17. Helping Others Stay Safe on the Internet
    Ch. 18. Snake Oil: Legitimate Vendors Sell It, Too
    Ch. 19. Living in Fear?
    Ch. 20. Is Apple Really More Secure?
    Ch. 21. OK, Your Mobile Phone Is Insecure; Should You Care?
    Ch. 22. Do AV Vendors Write Their Own Viruses?
    Ch. 23. One Simple Fix for the AV Industry
    Ch. 24. Open Source Security: A Red Herring
    Ch. 25. Why SiteAdvisor Was Such a Good Idea
    Ch. 26. Is There Anything We Can Do About Identity Theft?
    Ch. 27. Virtualization: Host Security's Silver Bullet?
    Ch. 28. When Will We Get Rid of All the Security Vulnerabilities?
    Ch. 29. Application Security on a Budget
    Ch. 30. "Responsible Disclosure" Isn't Responsible
    Ch. 31. Are Man-in-the-Middle Attacks a Myth?
    Ch. 32. An Attack on PKI
    Ch. 33. HTTPS Sucks; Let's Kill It!
    Ch. 34. CrAP-TCHA and the Usability/Security Tradeoff
    Ch. 35. No Death for the Password
    Ch. 36. Spam Is Dead
    Ch. 37. Improving Authentication
    Ch. 38. Cloud Insecurity?
    Ch. 39. What AV Companies Should Be Doing (AV 2.0)
    Ch. 40. VPNs Usually Decrease Security
    Ch. 41. Usability and Security
    Ch. 42. Privacy
    Ch. 43. Anonymity
    Ch. 44. Improving Patch Management
    Ch. 45. An Open Security Industry
    Ch. 46. Academics
    Ch. 47. Locksmithing
    Ch. 48. Critical Infrastructure
    Appx. A. Epilogue
    Colophon
    Index
    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 33. HTTPS Sucks; Let's Kill It!

    Chapter 33. HTTPS Sucks; Let's Kill It!

    It's almost impossible to deploy SSL (and its successor, TLS) in a way that leaves everybody actually secure. SSL is great at providing a false sense of security, and not too much else. But, HTTPS (which is a variation of the HTTP protocol that enforces the use of SSL) is even worse, because it is impossible to protect everybody with it.

    First, let's look at applications built using SSL. With most APIs, you can connect easily, with very little code, but the connection isn't validated. You just connect, and you have no idea who you're talking to. The server has even less idea. Usually you do some sort of login jig after that, but there's no guarantee that someone isn't sitting in the middle.


      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial