ja_mageia

Apple Safari RSS Bug Fixed
Apple has fixed an RSS vulnerability in Safari discovered by Clint Ruoho of Laconic Security, Brian Mastenbrook and Billy Rios of Microsoft. The patches are contained in Security Update 2009-001 and Safari 3.2.2.
Home Blog Risk Flying the insecure skies
Flying the insecure skies
Written by Clint Ruoho   
Wednesday, 14 May 2008 12:14

Online airline checkin has fallen under scrutiny lately due to relaxed security controls. Several airlines protect their patrons utilizing SSL or TLS for encryption of traffic on the internet. However, many airlines have chosen not to encrypt sensitive username, password and frequent flyer information when logging into their website. Laconic Security investigated the widespread use of non-encrypted websites used for frequent flyers and online checkin.

Over the past several years, the security industry has paid a great deal of attention to online boarding passes. European carrier Ryanair was embarrassed when it was revealed that none of its online check-in took place over SSL. Security researchers demonstrated how a simple boarding pass could be leveraged to commit full blown identity theft.

In 2008, one would think that the leading airlines in the United States would use SSL to protect their customers during the online check-in process. Unfortunately, this is not the case. During a quick investigation, we found four major airlines that failed to implement SSL for online check-in. The amount of information sent in the clear varies from airline to airline, but in each case, can be used to obtain at least the full information contained on a boarding pass. Some airlines are even worse: one in particular lacked SSL on the login page for its frequent fliers, which has been a known issue for nearly two years.

The resistance of airlines to using SSL to protect their customer's personal data is questionable. As recent studies have shown, SSL has little overhead on modern web applications. Given the ease which identify theft can be performed with the information contained on a boarding pass, why are these airlines still passing their customers' personal information plaintext, potentially across insecure wireless networks, and certainly across the big bad internet?

Prior to the publication of this article, Laconic Security contacted both the WHOIS technical contact and any relevant contacts listed on the susceptible airlines' web pages. To date, none have been fixed.
 

Main Menu

Home
Services
Partners
Blog
News
About

Corporate Brochure

Download the Laconic Security corporate brochure.