Intercepting Internet traffic, and spying on the communication between two computers, is a gold mine for hackers. Now Carnegie Mellon University researchers hope software they've built will make it harder for criminals to hit that jackpot.
The software, a free download for use with latest version of the Firefox Web browser, creates an additional way for people to verify whether the site they're trying to visit is authentic.
Most browsers already alert users when a site appears bogus. One way is by warning that a site that claims to be equipped to handle confidential information securely hasn't been verified by a third party, like VeriSign Inc. or GoDaddy.com Inc. Those are two of many companies that sell so-called Secure Sockets Layer certificates, which generate the padlock icon in the address bar.
The problem, the Carnegie Mellon researchers say, is that many people are perplexed about how to proceed once they get one of those warnings about a bad certificate.
Some click through, going on to malicious sites that steal their personal information, while others retreat, skipping over harmless sites that used less expensive, "self-signed" certificates.
So the researchers — David Andersen, Adrian Perrig and Dan Wendlandt — created a program that performs a novel extra step. It can tap into a network of publicly accessible servers that have been programmed to ping Web sites and record changes in the encryption keys they use to secure data.
Any discrepancy can be a sign that hackers are rerouting traffic through machines under their control, a pernicious type of attack known as a "man in the middle."
As a result, the new program either overrides the security warning if a site is deemed legitimate, or throws up another warning if the subsequent probes reveal more red flags.