Encryption and Man-in-the-Middle Attacks
The initial problem with Amazon’s Silk browser and security was its approach to encrypted connections. When you connect to a secure website, such as your online-banking site or any website that collects your credit card number, your Web browser establishes a secure connection with the Web server. The secure connection is displayed as an URL starting with “https://" in your Web browser’s address bar. Web browsers also show lock icons for these SSL connections.
What’s Silk’s approach? According to the Silk FAQ, Amazon “will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL." Many websites and commentators took this to mean that Amazon would establish the connection to your bank and send the results to you. This would introduce an extra party into your secure transaction -- no longer would the connection just between your Web browser and your bank. It’d be between your Web browser, Amazon and the bank.
In security terms, this was similar to a man-in-the-middle attack. Amazon clarified what Silk actually does on October 18, 2011. In a response to the Electronic Frontier Foundation, Amazon’s Jon Jenkins stated that “secure web page requests (SSL) are routed directly from the Kindle Fire to the origin server and do not pass through Amazon’s EC2 servers."
If Amazon’s servers were compromised, only unencrypted traffic could be snooped on. Amazon, as a large online retailer, has experience and a strong record in security. Still, high-profile attacks in the past, including the attack on Sony’s PlayStation Network, have highlighted how vulnerable large corporations can be to security problems.