Today I listened to episode 179 of the Security Now podcast. Here's a brief summary:
The main theme was certificates, which are used to encrypt information sent over the internet. For example, banks use certificates to encrypt the data sent to and from your computer when you are performing online banking functions. These certificates are issued to organizations by certification authorities, or CAs, and they can always be traced back to a root CA (like VeriSign). Through a complicated process, some people were able to create a counterfeit certificate that could be traced back to a root CA. This means that their certificate would be trusted by all browsers, plus they could issue new certificates that would be trusted. Now this process was not easy to complete, but it shows that certificates are not completely secure.
So how can I apply this to a web application? Well it is still smart to use certificates to send passwords and other sensitive information over the internet, but there is nothing that I can do to prevent others from creating conterfeit certificates. The web would have to discontinue use of MD5 encoded certificates (which was the encryption that was used on the "cracked" certificate) and use something even more secure.
Saturday, January 24, 2009
Tuesday, January 13, 2009
Semester Plan
(Initial Draft)
- Stay up to date with current security issues and solutions through online sources (like OWASP and TWiT's "Security Now" podcast).
- Explore the most commonly exploited security risks in depth, and learn how to protect a system from them.
- Apply the security solutions to the MIS Tutoring System web application.
- Create a list of security "best practices" and update it throughout the semester.
- Prepare some of the information gathered for use in Dr. Piercy's courses.
The Beginning
Since this is my first post, I'll give you a little background on me and the purpose of this blog.
My name is Jacob Prosser, and I am currently a 4th year Senior in my final semester at the University of Georgia. I am pursuing a B.B.A. through the Terry College of Business, and my major is Management Information Systems. In August, I will begin a full-time job at PricewaterhouseCoopers as an IT consultant.
This blog is part of my MIST 5990 directed study course with Dr. Craig Piercy. I plan on studying web application security, and my posts to this blog will reflect what I have learned.
My name is Jacob Prosser, and I am currently a 4th year Senior in my final semester at the University of Georgia. I am pursuing a B.B.A. through the Terry College of Business, and my major is Management Information Systems. In August, I will begin a full-time job at PricewaterhouseCoopers as an IT consultant.
This blog is part of my MIST 5990 directed study course with Dr. Craig Piercy. I plan on studying web application security, and my posts to this blog will reflect what I have learned.
Subscribe to:
Comments (Atom)