90% of popular SSL sites vulnerable to exploits, researchers find

[lotuseclat79]

90% of popular SSL sites vulnerable to exploits, researchers find.

Quote:

Less than 10 percent of the most popular websites offering Secure Socket Layer protection are hardened against known attacks that could allow hackers to decrypt or tamper with encrypted traffic, researchers said Thursday.

-- Tom

Quote:

BEAST, short for browser exploit against SSL/TLS, isn't easily eradicated, because patches would make websites incompatible for millions of people using older browsers.

Isn't that interesting?

[Wroll]

Nope, just normal business these days.

[Hungry Man]

Quote:

Originally Posted by BrandiCandi

Isn't that interesting?

Only the wrong patches. If servers forced TLS standards that aren't supported they would break for browsers that don't support them.

[chronomatic]

Quote:

Originally Posted by Hungry Man

Only the wrong patches. If servers forced TLS standards that aren't supported they would break for browsers that don't support them.

I say to hell with all the people out there running IE 6. Either freaking upgrade or get left behind.

Also. I would like to add that some of these researchers who carried out this study are literally the who's who in SSL:

Quote:

SSL Pulse is the brainchild of the Trustworthy Internet Movement, a recently formed group that has chosen SSL as its first project. Members include Ristic; Google Software Engineer Adam Langley; SSL researcher Moxie Marlinspike, whose company was recently acquired by Twitter; Michael Barrett, who is chief information security officer at PayPal; Taher Elgamal, founder and chief identity officer at IdentityMind and a co-creator of the SSL protocol; and Ryan Hurst, chief technology officer at GMO GlobalSign.

Taher Elgamal invented the Elgamal encryption algorithm which is used widely on the Internet. In other words, he is one of the foremost experts in the world on public-key encryption protocols.

Basically, this study confirms what many of us have known for years -- SSL completely and utterly sucks. We need to redesign the system from scratch.

[funkydude]

Quote:

Originally Posted by chronomatic

I say to hell with all the people out there running IE 6. Either freaking upgrade or get left behind.

IE6? You do realize we are STILL waiting for Firefox and Chrome to implement TLS 1.1 & 1.2, right? Websites won't implement something that all browsers can't use, and by the looks of it, Mozilla and Google won't implement something that websites aren't using. Nice loop.

Not to mention the amount of misconfigured servers out there, which is why Microsoft has to turn off TLS 1.1 and 1.2 by default, and also why Google's recent attempt to speed up TLS failed. IE6 really is just a pin in a haystack of issues.