September/October 2018 issue of acmqueue The September/October issue of acmqueue is out now

Subscribers and ACM Professional members login here



Security

 

Download PDF version of this article
This and other acmqueue articles have been translated into Portuguese
ACM Q em Língua Portuguesa

Error 526 Ray ID: 48a63cb2cb68c5fe • 2018-12-17 03:17:30 UTC

Invalid SSL certificate

You

Browser

Working
Newark

Cloudflare

Working
deliverybot.acm.org

Host

Error

What happened?

The origin web server does not have a valid SSL certificate.

What can I do?

If you're a visitor of this website:

Please try again in a few minutes.

If you're the owner of this website:

The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here.

acmqueue

Originally published in Queue vol. 10, no. 12
see this item in the ACM Digital Library


Tweet


Related:

Simson Garfinkel, John M. Abowd, Christian Martindale - Understanding Database Reconstruction Attacks on Public Data
These attacks on statistical databases are no longer a theoretical danger.


Rich Bennett, Craig Callahan, Stacy Jones, Matt Levine, Merrill Miller, Andy Ozment - How to Live in a Post-Meltdown and -Spectre World
Learn from the past to prepare for the next battle.


Arvind Narayanan, Jeremy Clark - Bitcoin's Academic Pedigree
The concept of cryptocurrencies is built from forgotten ideas in research literature.


Geetanjali Sampemane - Internal Access Controls
Trust, but Verify



Comments

(newest first)

Poch | Sat, 15 Jun 2013 03:12:04 UTC

Hi Ches, if you're trying to figure out what you'd like to do next in your life, look no further, it's all in you (ie, what you are already interested in). Even if you try something different (eg, theatre, poetry, politics, or whatever), you'd still gravitate towards what you are already interested in. By the way, I read about the english word passphrase generation in Jef Raskin's book The Humane Interface. Thanks for the article!


Martin Leiser | Mon, 04 Feb 2013 08:54:36 UTC

Green Book in Todays world? How many entries has Your password safe, mine has nearly 100. How many places besides that do you have passwords stored e.g. on your mobile phone? You cannot effectively Use a Android or Apple Phone without storing at least one password in it.

What is completely broken is the aphorism: Don't write your passwords down. Is there an easy way out?

Once your your googlemail password is stolen, the thieve may completely impersonate you. Any offer of Solutions?


Nate | Thu, 03 Jan 2013 16:57:21 UTC

As someone else said, disabling accounts means that anyone can go around disabling anyone's account by just entering their username and some bad passwords. Disabling is not the answer.... just slow the attacker down. It doesn't even take much. Require a 1 second wait between authentications for the same user. Bam, done. Now even a crappy password will take forever to crack.

You also missed the #1 most common attack vector these days - password databases. Someone hacks into a popular server, gets the hashed passwords of everyone on the machine, and sends their cracker at it directly. There's no website to automatically disable their account now. This is why websites need to use slow hashes that take a long time regardless of what surrounding code you have. scrypt seems to be the reigning champion.

Finally, two factor authentication makes all the password cracking in the world nearly useless. Without the keyfob to my work's VPN, I can tell you my username and password, and you still wouldn't be able to get in. And that's the best kind of security against the kind of attacks most people suffer. Someone might get your password, but that same person is highly unlikely to also get your VPN token or cellphone needed for second factor.


Fazal Majid | Wed, 02 Jan 2013 15:35:47 UTC

Disabling an account on repeated login failures is problematic, as it creates a denial of service vector.


Wouter Blom | Wed, 02 Jan 2013 14:43:10 UTC

What do you think of alternatives like authentication using twitter or openID or facebook?

only remember 1 password, which could me complex. And additional authentication (first time in new browser, check of IP adres, check what country you are logging in from etc.) and the 2-step verification that google has implemented?


Dmitriy Likhten | Wed, 02 Jan 2013 14:35:39 UTC

Ideally, we would have the following system:

1) Login to a dedicated service for authentication

2) Use that service for everything.

This way you are not prey to the google TOS where google can disable your account or anything, and there is literally one service to remember to login with.

OR

Use a password store (what I do). I need a 2-factor to log into it. And furthermore, I don't even know my 32 character random bank password, nor do I care what it is.

But most people don't use password stores, idk why.


Leave this field empty

Post a Comment:







© 2018 ACM, Inc. All Rights Reserved.