Software engineers from german c't magazine completely crushed Windows 10 security architecture!
In fact, there is no security
. Main problem is, that Microsoft Windows 10 did disable "certificate pinning"
That leads to following security problems:
1. A "man in the middle"
(MITM) attack becomes possible. A simple NginX configured as "reverse proxy" is sufficient to decode all SSL, TLS, VPN traffic.
And, of course, they did! What they've discovered, is not amusing:
2. Bitlocker keys, your company's (workstations) WLAN passwords, passwords for accessing Microsoft cloud get transferred into the cloud, for what reason ever!??
3. Edge browser is able to activate key pinning, but only is activating it, when accessing Dropbox, not even for MS OneDrive. At the moment, all your bank account data, such as login, password can be read. Not possible with Chrome browser, that always has key pinning activated, since years now.
4. When updating Windows 10, the updater itself is not checking checksums for update contents itself. A 'man in the middle'
so may replace genuine Microsoft update packages by its own trojans. A developer certificate is sufficient, as happened with Realtek, JMicron, which got revoked by Verisign in Iran Stuxnet case after some months.
Note: This MITM attack only becomes possible because of a general BGP (Border Gateway Protocol) weakness, that is allowing an attacker to reroute data streams across the globe, as happened here:http://research.dyn.com/2015/03/uk-traffic-diverted-ukraine/
That finally resulted in following security compromises:http://www.bloomberg.com/news/articles/2015-07-09/hackers-stole-government-data-on-25-7-million-people-u-s-says http://arstechnica.com/security/2015/10/highly-personal-data-for-15-million-t-mobile-applicants-stolen-by-hackers/ http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/ http://www.ibtimes.co.uk/billion-dollar-bank-job-how-hackers-stole-1bn-100-banks-30-countries-1488148https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
Microsoft still did not respond to these findings.