There is a means of protecting your password when you press the ‘Purchase’ or “Buy” button in Amazon, Nordstroms, Target or any retail website. The same holds true when logging into Gmail, Yahoo!,Comcast and other mail or social media websites. It is called a security certificate – in short it covers up your password when you hit the ‘submit’ or ‘buy’ button within a webpage.
If you haven’t yet, be sure to set your Facebook preferences or Gmail preferences to always use https – this is a way to protect your password from people who skim the Internet looking to take control of your accounts. It is also important to make sure you are using https on ANY WEBPAGE that asks for your credit card numbers. To set this up on Mozilla Firefox for both Apple machines and Microsoft Windows, you can install https-everywhere for free into the browser. Get it now by clicking HERE. You can read more about this at “Why Should I Care About HTTPS on Facebook“. Chrome uses one called KB SSL Enforcer. You can select the Install Now link on the developer’s web page.
The important news is there are a small group of people who are considered TRUSTWORTHY sources called Certificate Authorities (CA’s) who work with the secure https technology in the form of a certificate. Recently, a second CA had been failing in their business and consequently was broken into (i.e., hacked) and impersonated. This means they were functional certificates, but they were no longer trustworthy. Evidence shows that they were primarily looking into tracking information within Iran once they got into the machines who accessed web sites that used certificates from the now defunct comany DigiNotar
Either way, browser updates recently have started to remove these once ‘valid’ certificates – no longer allowing them access to your computer. You can get the latest updates directly from Microsoft through the microsoft.com updates site if they do not already run automatically, or for the Apple, close out of all your programs and allow the “Software Updates…” to run on the computer.Both require a restart. If you use chrome or google, you can grab the latest versions here.
It is important to install the all of the latest updates for your computer – if you do not want your passwords and credit card information in the hands of non-trustworthy hackers.
“…the application will terminate the SSL connection, present a new certificate and then establish a SSL connection to the originally requested site. Because the certificate is selfsigned, it would typically throw up an error, allowing the user to notice that there is something going on. This attack works at a lower level. The SSL connection isn’t interrupted. The weakness in using Cypher Block Chaining (CBC) is exploited to get access to the desired information. Whereas in the traditional MITM attack the user has a chance of noticing, with this attack they are unlikely to.”
For the entire technical analysis of this problem, please click on this link…