Recently at Ars we've had a couple of discussions about the use of HTTPS—that is, HTTP secured using SSL or TLS—for every website, as a way of keeping sensitive information out of reach of eavesdroppers and ensuring privacy. That's definitely a good thing, but it has a flaw: it requires HTTPS to actually be effective at protecting privacy. Recent goings on at Certificate Authority (CA) Comodo provide compelling evidence that such trust is misplaced.

There are two interrelated aspects to SSL. The first is encryption—ensuring that nobody can understand the communication between a client and a server—and the second is authentication—proving to the client that it is actually communicating with the server it thinks it's communicating with. When a client first connects to an HTTPS server, both parties have a bit of a problem. They would like to encrypt the information they send each other, but to do this, they both need to be using the same encryption key. Obviously, they cannot just send the key to each other, because anyone listening in on the connection will be able to watch them do so, and use the key to decrypt the communication themselves. Fortunately, clever mathematics allows both parties to share an encryption key without it being disclosed to any eavesdroppers.

Security firm RSA has been the victim of an "extremely sophisticated" attack that has resulted in exfiltration of certain private information, announced Executive Chairman Art Coviello in an open letter published yesterday. The company also filed a note with the SEC, warning of possible risks due to the attack. Since 2006, RSA has been part of EMC.

In 1998, Ask Ars was an early feature of the newly-launched Ars Technica. Now, as then, it's all about your questions and our community's answers. Each week, we'll dig into our question bag, provide our own take, then tap the wisdom of our readers. To submit your own question, see our helpful tips page.

Question: What's the most secure way to transport 100GB of data via Sneakernet?

Sharing small files across the Internet with a good amount of security keeps getting easier, but large datasets can still create long, painful upload times. In this video edition of Ask Ars, we cover the most secure ways to transport large datasets by trekking the dusty trail, otherwise known as Sneakernet, even with predators in hot pursuit.

The Federal Trade Commission (FTC) has accepted the proposed settlement with Twitter over its 2009 security breaches. The settlement was first proposed in mid-2010 when the FTC said that Twitter had "serious lapses in the company’s data security," and as a result, Twitter must implement and maintain a "comprehensive information security program" that will be independently evaluated every other year for 10 years.

The social media service had come under fire for making private tweets and the login credentials of users easily available to "hackers" between January and May of 2009. During that time, someone was able to gain administrative access to Twitter's system (and therefore access to thousands of user accounts, passwords, direct messages, and more) simply by using password-guessing software. That user reset numerous user passwords, allowing others to access those accounts.

There was also a separate incident in which another user was able to get into a Twitter employee's Gmail account and steal more passwords that were stored in plaintext, which were then used to guess that employee's admin password to the Twitter system.

The FTC issued a warning to Twitter a year later, and the finalized settlement was unanimously approved on Friday. There aren't many changes to the settlement between last year and now, except that Twitter's new security program will get evaluated every other year instead of every three years. Additionally, Twitter is barred from misleading consumers about its security practices for 20 years. Hopefully the company doesn't plan to mislead anyone at the 21-year mark.

Read the comments on this post

NASDAQ OMX, the company that operates the Nasdaq stock exchange, has said that part of its online network has been penetrated by unknown hackers. Suspicious files were discovered on NASDAQ servers, triggering a federal investigation into the matter. The company stressed that servers and networks that handle trading activity show no signs of compromise.

Discovery of the breach happened late last year, triggering a Secret Service investigation to try and find out who was responsible and what the possible motive might have been. Since then, both the FBI and Department of Justice have joined in the investigation, as NASDAQ's exchange is consider a critical part of the US economic infrastructure.

The attack happened on servers that run NASDAQ's Directors Desk web app, which allows corporation board members to store and share certain company-related information. The suspicious files, which may have been part of some type of malware, were immediately removed from the system once discovered.

NASDAQ OMX originally did not publicly reveal that its systems had been compromised so that federal investigators could conduct their investigation without alerting the perpetrators. However, news of the hack was reported by The Wall Street Journal on Saturday, which cited anonymous sources with knowledge of the incident. That prompted the company to make an official statement, saying there is no evidence that any customer information was accessed. NASDAQ's trading platforms, which run on servers separate from Directors Desk, were also not affected.

"At no point was any of NASDAQ OMX’s operated or serviced trading platforms compromised,” the company told The New York Times. So far, the extent of the attacks appears to be the hackers merely explored the system, possibly looking for additional vulnerabilities.

NYT also noted that NASDAQ is responsible for about 19 percent of US stock trades. If hackers could directly affect trades or merely just damage NASDAQ's trust relationship with traders, it could have a significant impact on the US economy. A report in 2009 noted that the US's heavy reliance on a digital infrastructure and information-based economy made it particularly vulnerable to such attacks.

Read the comments on this post

A survey of cyberspace says that the United States enjoys the honor of being the world's "top attack traffic source," accounting for 12 percent of all such malicious data—eight percent of the globe's in the third quarter of 2010.

This could represent the activities of "infected hosts that are looking for other hosts to spread to, or it may represent brute force attempts to log in to other systems," according to the Akamai Corporation's David Belson. It's all in the server maker's latest State of the Internet report (registration required).

If a little salt makes food taste better, then a lot must make it taste great, right? This logic is often applied in the digital domain, too. (My pet peeve is that TV shows and DVDs keep getting darker and darker.) In a similar vein, networks used to buffer a little data, but these buffers have been getting larger and larger and are now getting so big they are actually reducing performance. Long-time technology pundit Bob Cringely even deemed the issue worthy of three of his ten predictions for the new year.

Networks need buffers to function well. Think of a network as a road system where everyone drives at the maximum speed. When the road gets full, there are only two choices: crash into other cars, or get off the road and wait until things get better. The former isn't as disastrous on a network as it would be in real life: losing packets in the middle of a communication session isn't a big deal. (Losing them at the beginning or the end of a session can lead to some user-visible delays.) But making a packet wait for a short time is usually better than "dropping" it and having to wait for a retransmission.

Following a quick trip to the Consumer Electronics Show in Las Vegas, United States Secretary of Commerce Gary Locke is headed for the Stanford Institute on Policy Research on Friday. He's there to talk up the Obama administration's efforts to "enhance online security and privacy," plus the "next steps in meeting the challenges of a growing cyber world," according to a press statement.

The plan is to launch a National Strategy for Trusted Identities in Cyberspace (NSTIC)—a bid to support private-sector solutions to make the online environment more secure. The sooner the better, because the Zeus (or ZeuS) Trojan has struck again, this time targeting government employees.