Here is the PDF - http://ps3crunch.com/wp-content/uploads/2011/02/psn.pdf

You'll notice this: "Even if a connection is SSL encrypted, companies are aware of the big risk behind custom CA files and it's possibilitie"

So AFAIK, Sony uses SSL but these guys think it's not enough. So headline and original article is exaggeration.

Again from PDF "SONY is only relying on it's https connection. With all those CFWs spreading around, this is not secure anymore."

- Which is total BS. If you are downloading a custom firmware that's not Sony's problem go blame firmware developer and yourself for running something on your system from an untrusted source.

So looks like collecting information is the truth (as expected) and rest of the article is just baseless accusation.

Irony of ironies, I actually got a lecture from a PS3 engineer about how insecure SSL is with only a server-side certificate, along with a demonstration of sniffing the traffic via Charles. I had to point out that A) you have to accept Charles' root cert and B) distributing client certificates for a consumer web app is a non-starter.

:) It's amazing to see how most developers are clueless about SSL, quite a while ago I even wrote an FAQ about it: http://ferruh.mavituna.com/ssl-implementation-security-faq-o...

Executing unknown binaries has unknown consequences. News at 11.

So let me get this straight - if I run custom software on my device, provided by someone I don't know, and my credit card number is stored on that device, it's possible for the unknown software provider to READ MY DATA?!

Amazing.

Anyone want to pull out a packet-sniffer and verify?

If you were able to see the data using a packet sniffer, that would mean they're not using SSL to transmit the data...

"No sergeant, your men are already dead."

I believe it's lieutenant :) (I have seen that film far, far too many times)

Or you're any of the hundreds of organizations that are known to have root or intermediate CA certificates. E.g., the former government of Tunisia.

Or any of the unknown number of intermediates who are not known.

This is only the case if those root certificates are installed on the Playstation. I'm not sure if we know which ones are.

For the purposes of PSN they'd only need Sony root certificates, but I expect that they have others for general web browsing.

My guess is they have a large-ish set of root certs like every other SSL/TLS library, but one or more may be marked 'magic' in some way. Plus they'll probably want the option to utilize third-party CDNs at some point which often implies a common CA.

Given the rest of what's known about their design I doubt they've deliberated it at a particularly high level in their organization. Or at least, high enough where management doesn't see the benefit of maintaining their own trust root and is glad for the opportunity to outsource something critical.

Good. I posted that before they updated their post to clarify that they were sending data over SSL. It doesn't sound like the issue is as bad as they had originally insinuated.

I have, only things I see is:

HTTP Request - Update check. HTTPS Request - Login. HTTP - Friend list update. HTTP - PSN keep alive message every few mins.

It seems the problem is stemming from custom firmware: http://arstechnica.com/gaming/news/2011/02/report-psn-hacked...

No details and a single "anonymous hacker" is your source? I really hope this isn't the future of journalism.

Look around, the future is here.

If online journalism becomes all about pageviews and spot traffic, this will be par for the course.

If you read and understand the article, you see the Sony did nothing wrong in it's implementation. The hack involves installing custom firmware with bad root certificates, which is hardly Sony's problem or fault.

Utterly unsurprising, considering Sony's heritage. They're thugs.

http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...