Moxie Marlinspike‘s presentation on SSL Stripping, while 5 years old, is both fascinating and terrifying. I’m not sure I’ll ever turn my secure VPN off again. At the same time, I’m not sure if it really does me any good.
The 55 minutes of his talk are very much worth it. Some moments from the video:
“when looking for security vulnerabilities … it’s good to start with places where developers probably don’t really know what they’re doing but feel really about the solutions they’ve come up with.”
“A padlock, who’d of thought … it doesn’t inspire security.”
“[EV Certs]: Now we’re supposed to pay extra for the Certificate Authorities to do the thing they were supposed to do to begin with.”
And the most important to remember, which is also the least assuring:
“Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure.”
Major props to Zack, who prodded me to watch this many times before I finally ran into it again today.