Poodle: ???????? SSL ??????????????
SSL 3.0 の新しい脆弱性により、安全なはずの接続から攻撃者がデータを盗み出す可能性があります。
SSL 3.0 の新しい脆弱性により、安全なはずの接続から攻撃者がデータを盗み出す可能性があります。
Poodle, una vulnerabilidad descubierta recientemente en una versión antigua del protocolo SSL representa una amenaza para un gran número de servidores web.
New vulnerability in SSL 3.0 can allow attackers to extract data from supposedly secure connections.
New vulnerability in SSL 3.0 can allow attackers to extract data from supposedly secure connec…
Is the era of oversharing over? Recent revelations about state-sponsored surveillance and mega-breaches engineered by cybercrime gangs have put the issue of privacy in the spotlight. After more than a decade where people appeared to be sharing more and more details about themselves online, there is some evidence that a backlash is now underway. Certainly the founders of a number of new social networking services seem to think so and they have made privacy one of the main selling points of their offerings.
One effort at building a more anonymous social network is Secret. Its creators decided to move in the opposite direction to most social networks and minimize the personal information its users share. Available as either an iOS or Android app, it doesn’t use real names or profile photos. Users instead anonymously share text and images. Their posts are shared with other friends who are also on Secret, but users are not told which of their friends authored the post. They can choose to share those posts with their own friends and, if a post goes two degrees beyond its author, it is shared publicly and marked with its broad location (e.g. California).
Secret goes to some length to reassure its users of their privacy. For example, it markets itself with the fact that customer data is stored on Google servers – the same servers used in Gmail – and all communications are encrypted with TLS. Message data is encrypted before being written to its servers and keys are stored in an off-site keystore service that rotates keys. When the app connects a user with someone they know from their contacts book, it doesn’t send phone numbers or email addresses to Secret’s servers. Contact details are locally hashed with a shared salt and the server then compares them against other hashed values.
Secret’s arrival is a sign that social media moguls have spotted which way the wind is blowing. The app was developed by online publishing platform Medium, which was founded by Evan Williams and Biz Stone. Williams was a co-founder of blogging platform pioneer Pyra Labs (and credited with coining the phrase “blogger”) and was later a co-founder of Twitter.
The latest service to launch is Cloaq, which goes far beyond Secret in the level of anonymity it offers its users. Users don’t have to provide any personal information when they sign up, such as their name, email address or phone number. Instead, they choose their own password and Cloaq assigns them a user ID. The company is handing out accounts in batches, e.g. @alpha1 through to @alpha999 and so on. The downside of having such an anonymous service is that anyone who does forget their user ID or password has no way of retrieving it.
In addition to new social media ventures, established operators have also begun to perceive a market for private services. For example, Twitter chief executive Dick Costolo recently said that the company is exploring the option of introducing a “whisper mode” that will allow its users to move conversations into the private sphere. While the company already has a private direct messaging feature, Costolo indicated that the whisper mode would allow for a smoother transition between public and private conversations. Additionally, he indicated that the feature could enable private conversations between more than two people.
Revelations about surveillance have also prompted some of the main online service providers to beef up their privacy measures. For example, Google has now moved to a default encrypted HTTPS connection whenever a user of its email service Gmail logs on. Furthermore, the company said that it was encrypting all traffic on its data center network, meaning that Gmail data will also be encrypted if it moves between Google servers. The move is intended to allay privacy fears following revelations about state-sponsored surveillance of traffic between data centers.
Google isn’t the only company moving to enhance customer privacy. Yahoo has followed suit, switching on HTTPS as a default on Yahoo mail and encrypting traffic between its data centers. Microsoft too has responded to privacy concerns. Likening the threat posed by surveillance to that presented by malware, the company is encrypting content moving between itself and its customers, in addition to encrypting data center traffic.
Whether a permanent shift towards greater anonymity is underway remains to be seen. However it is clear that the entire industry, from start-ups to the major players, has recognized that it is, for now, a key concern for consumers.