Joyeux Noël ! The Big Bang Experiment OS update Gary Numan - Tetris theme Avira AntiVir
< plus anciens
SQL injection myths and fallacies Injection SQL Sandwich Steam on Ubuntu 3D printers
plus récents >
fail0verflow - Mega & SSL
samedi 26 janvier 2013 à 23:28
Instead of serving the entire site from a single secure server or group of servers using strong SSL, they came up with a clever scheme to allow them to serve most of their site insecurely. Mega’s main index.html is hosted on a secure server using SSL with 2048-bit RSA. However, everything else is loaded dynamically from JavaScript code in index.html, and hash checked. This additional content comes from a CDN that uses weaker 1024-bit SSL with MD5 authentication. The CDN servers are third-party servers, and thus potentially easy to compromise for an attacker. Therefore, you would have to trust the entire CDN network and also trust that nobody has broken 1024-bit SSL yet (which is known to be weak by modern standards). In order to solve this problem, Mega hashes all of the additional content, and stores the hashes in index.html. This creates a chain of trust, or as they put it, “secure boot for websites”. Clever.

Extrait verbatim d'un article du 23/01/2013 du blog fail0verflow