2011-02-18

Sony not using secure connections in PS3



Since the PS3 has gotten more and more open, people have been looking into it's security methods.
Some things that have been found are borderline scary.

One fact uncovered is that credit card data used to make purchases on PSN is not encrypted separately, with Sony instead relying on the standard SSL. The problem being SSL is end-to-end encryption, and with so many users using custom firmware (that other people made) there's no guarantee the firmware a user has isn't copying the information and sending it elsewhere (as it's easy to sign your own SSL certificates). In addition many users with modded PS3 systems set alternate DNS servers in order to bypass some of Sony's firmware checks when allowing PSN access. These DNS servers could also be re-routing personal/finance information to places other than Sony's servers.

The documents provided mention more about what the PS3 communicates back to Sony, which includes info such as your television model, any attached USB devices, and your playtime habits.

This information raises many questions.

How far should companies go to keep customer financial information out of the wrong hands?
Should customers be told that a company is collecting information from outside the system?
What personal information do they have the right to collect?

No comments:

Post a Comment