Security researchers from Google have an open source tool ge lwa site that users can test whether their software is vulnerable to known security vulnerabilities in ssl implementations. The tool does require some knowledge to be ge lwa installed.
The tool tries to man in the middle attacks on connections. Users need to have the tool install on a server and have the device they want to test how to configure the tool such as vpn, router or proxy to use. If the device is vulnerable to known security vulnerabilities in ssl implementations, the tool saves alarm.
Google has the tool “nogotofail”, a reference to a serious vulnerability in OS X and iOS that the beginning of this year came to light. In addition, it was possible to see the contents of https traffic to figure out, if an attacker has the network traffic could be intercepted. The vulnerability was caused by the text ‘goto fail’ twice was placed, where it once had been. As a result, a server where the code actually alarm would have had to save, yet familiar.
The tool also tries ssl certificates to serve domains other than the visited domain. Software that checks whether a served the ssl certificate for a particular domain, here is the error. That is something what ING happened: an old version of the mobile banking app from the bank, checked the certificate, allowing an attacker with his own certificate would be able to present to his victim.
Who the tool wants to install the code to Github. The tool works best on Linux, and users will ssl certificates should arrange to have the tool able to set up fake ssl certificates to generate. Also will users of the tool to be familiar with the command-line on Linux.
Comments
(10)