Sort of secure socket layer

Subject: General Tech | September 20, 2011 - 09:02 AM |
Tagged: fud, SSL, tls, security

The good news about the discovery that the encryption procedure behind Secure Socket Layer and Transport Layer Security has been compromised is that the newest versions of both SSL and TLS are still safe and they have been available for a while now.  The bad news is that not only do only a tiny handful of websites utilize TLS 1.1/1.2 and SSL 3.0, most browsers don't even support the updated protocols.  Oddly Internet Explorer and Internet Information Services both support the newer protocols, though they are not enabled by default; the only one that does have TLS 1.2 enabled by default is Opera.  

You don't have to immediately switch browsers, in order for your secure connection to be compromised the attacker first has to compromise your browser or machine in order to get JavaScript code to run in your browser before they can start the decryption process.  It is not the quickest peice of programming either ... yet.  In the proof of concept that The Register references a 1000-2000 character long cookie will take about a half hour to crack, which is most likely longer than the average connection to your PayPal account will last, which is the site they used as an example.   Of course if you throw a dozen Tesla cards at it and it will probably decrypt the packets at a much quicker pace.

View Full Size

"Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register
No comments posted yet.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.