Hackers break SSL encryption used by millions of sites

Okay, I misinterpreted what you said. So we agree - good

 

So you also think that TLS 1.0 (despite its current flaws) is superior to SSL 3.0 and therefor isn't needed? (That was my point in the first place, this thread just seemed a good place to broadcast it).

 

I thought the Internet is evolving rapidly, but apparently not evenly.

 

TLS 1.0 has some benefits but they are not really relevant, IMHO. See this site which explains the differences and says:

 

Thanks for the link, although there's no benefit to security, this quote:

Seems to suggest that I'm ok with having SSL disabled and TLS enabled, that's good.

 

Chrome and the BEAST (via)

 

As they say in the article

Something I've definitely highlighted before. If someone is on your network there are wayyyyy easier ways to mess with them. You can just use SSL stripper to force them to HTTP and inject whatever you like into their messages.

 

Tor and the BEAST SSL attack.

-- Tom

 

From SSL/TLS (part 3):

 

That didn't take long, my service provider firewall blocked a nefarious spam (or worse) yesterday, saying that

complete with links that are presumably to a drive-by attack site.

 

An actual drive-by that works?

 

I think they all work it's just a matter of having the right (outdated) software on your computer.

 

sorry, don't know if it works, I'm just an "in awe" of the folks here who actually test this stuff.

I will post a screenshot of the msg in a second reply, if anybody is interested in checking.

 

screenshot attachment of the "SSL trickery" e-mail referred to in #60 above.

please note: I have not tested the link shown, so please be cautious.

 

From Microsoft releases Security Advisory 2588513:

 

Chrome may be safer than Fx or certain other browsers in this specific matter

http://www.theregister.co.uk/2011/09/27/beast_attacks_paypay/

 

Microsoft releases fix-it tools for SSL/TLS vulnerability

 

Sounds like all the tool does is enable the TLS 1.1 feature in IE. This raises a few questions:

Why not also enable 1.2?
Will IE10 change to enable 1.1 (and 1.2) by default?
Will there be a patch via Windows Update to enable it for IE8/9?
What about XP users, since XP doesn't have support for 1.1 or 1.2? (I know this is yet another reason to ditch XP, but this isn't an entire browser so implementing it may be possible)

 

I believe Chrome is already immune now, though it may have been resistant before. The dev release about a week ago addressed BEAST and it changes how TLS 1.0 works, which is a lot better than just adding 1.1 or 1.2 support considering that websites don't use those. Still, long-run I'd like to see support for those.

 

From Attack against TLS-protected communications:

 

Can anyone verify the above news?

Okay, I get it now. One of the reasons I'm using it again.

 

No, according to the Mozilla Security Blog Firefox is not vulnerable. Giorgio Maone writes in his forum that the specific websocket implementation in Firefox was found not to be exploitable.

EDIT: Sorry, already posted by MrBrian.

 

Okay! That's good to know:

from the blog.

 

Installing Java for people that need it for their everyday use then reading that just fills me with warmth and faith.

 

WORKAROUND From MS:
https://technet.microsoft.com/en-us/security/advisory/2588513