Hackers break SSL encryption used by millions of sites

@ Searching_ _ _

Thanks for the http://news.ycombinator.com/item?id=3015498 link

*

Wonder if this will help, Any ?

Some good info here

 

Thai Duong's Tweet for those interested in getting hold of the P.o.C.

 

Some background info etc

 

Nope you not, its coming to an ISP near you....LOL

 

and

From: http://www.h-online.com/security/news/item/Tool-cracks-SSL-cookies-in-just-ten-minutes-1346387.html

I get the feeling that quite a few things have to converge for this to work. Experts?

 

Not to say I'm an expert but...

injecting javascript is easy if you have control over any part of the connection ie: host or router. Assuming taht you're trying to attack them with beast we can safely say you're already in control of some part, such as being on a public connection

And sending data from the browser to the remote site? All tehy have to do is click a link or visit the site they intend to go to! Not hard.

 

One more thing seems to be the time required. If sites involving monetary transactions were lighter, we could get in and out faster.
Instead, even such sites are subject to creativity

 

In this thread Giorgio Maone, the Noscript developer, says that he knows the details of the attack but he can't reveal them yet.

Nevertheless he adds:

That's good news since that means that Noscript is able to protect gainst this attack unless you've whitelisted the attacker's site.

 

Attacker's site?

 

I don't see why they need to be in control of something like your ISP. If it's a public network they should be able to change or add javascript. Most javascript on websites is not encrypted, even on HTTPS.

 

Doing bank transactions quickly isn't the best defense. Once this is optimized for Cuda it'll be nearly instant. The best defense is to force websites to update.

 

I never implied it's the best defense.

 

By "best defense" I actually mean "a (useful) defense at all."

 

That's your opinion and you're welcome to it

 

New JavaScript hacking tool can intercept PayPal, other secure sessions.

-- Tom

 

Google preps Chrome fix to slay SSL-attacking BEAST

 

I'm on the dev build so I guess I'm already protected haha

 

I'm sitting here looking at this thread and wondering is this all real?

IOW does the average joe out there who knows sqaut about security (no not all you guys and gals) really need to worry?

My guess is the answer is no, not if he has a reasonable set of tools in place put there no doubt by MR Geek (me) changes his psw'd and gets on with life.

Security has a way of eating up your life if you let it.

Go ahead and fire away! ( Im hiding behind a router hard wired)

 

Nope, I'm not too worried about this at all.

 

From tlu's link: http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/

No Firefox fix...

 

Well, in the thread mentioned in post #33 Giorgio mentions a "still embargoed security-sensitive bug report". So it seems that there is something in the making for FF.

 

After some more research it appears that OpenSSL (I believe is currently the most commonly used crypto library) will support TLS 1.1 and 1.2 in its upcoming version OpenSSL 1.0.1, hopefully it will be adopted fast.

Also after reading this page, it appears that TLS is actually meant to replace SSL3.

With that in mind I have disabled SSL3, all the secure websites I browse work fine as they support (the superior) TLS 1.0

 

I like this Chrome fix. Supporting 1.1 and 1.2 will be nice when it comes but it's useless for now since no websites ever use those (except government sites and a few odd others.)

 

I'm afraid that's not correct. From what I've read TLS 1.0 is actually a precondition that this attack works. Only version 1.1. and above are not attackable. The problem is that nearly all https connection are done via TLS 1.0 as only the development version 1.0.1 of OpenSSL supports TLS 1.1. Unfortunately, this version isn't used by most servers yet.

 

What? There's nothing incorrect or correct about it. I wasn't stating a fact, I was stating an action that I had taken. Did I state that this action prevents this exploit? No. The rest of your comment is repeating what I've already said.