Hackers break SSL encryption used by millions of sites

Discussion in 'other security issues & news' started by tlu, Sep 20, 2011.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    IE (along with Opera) has supported TLS 1.1 and 1.2 for a LONG time. But there must be good reasoning we haven't moved on? 1.1 was in 2006 and 1.2 in 2008, are we going to see a mass exodus of 1.0 to 1.2 now? Despite whatever reason that prevented it going mainstream in the first place?
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I was just coming to post about this.

    @Funky, all modern browsers support them. It's a matter of the website supporting them. Plenty of websites don't even support https at all, they just don't bother to update because users don't care.

    EDIT: Chrome may not support TLS 1.1 and above. Checking...
     
    Last edited: Sep 20, 2011
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi:

    In my IE9 it shows

    1.0
    1.1
    1.2

    Only 1.0 was ticked!

    What "should" I do tick them all, untick them all:rolleyes: , tick only 1.2?

    This stuff is NOT my area of knowlege so I make no appology for the stupidy of the question!;)
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Tick them all. Unticking 1.0 would just disable it entirely if the site only supports 1.0.

    1.0 is better than nothing.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    There's a reason they are unticked, I don't think they work/properly when all enabled.

    @Hungry

    Incorrect, Chrome and Firefox are 2 I know do not support them, possibly even Safari. Currently IE and Opera are the 2 that do.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yep, found bug reports for both indicating that.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    More info as to why TLS 1.1 and TLS 1.2 are disabled by default in IE:

    http://blogs.msdn.com/b/ieinternals...https-servers-impair-tls-1.1-and-tls-1.2.aspx

    From my perspective it looks completely safe for the average Wilders member to enable TLS 1.1 and 1.2 in IE. However if you try to access an https website and it doesn't work, you know why. I don't recommend turning this on for standard users (non-Wilders readers).

    I'll enable them and see how it turns out.

    EDIT: It seems all the secure website I browse, including my bank and PayPal, load fine. Please note, that doesn't mean those servers support TLS 1.1 or 1.2, it's possible NONE of them support it. But the important thing is, they all load.
     
    Last edited: Sep 20, 2011
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Can't you check? I know witih Chrome you just click the lock and it says if it's running on TLS x
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I've ticked them all will report later.


    Okay, the https bank site works with TLSx where x=1.0,1.1,1.2
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I'd have no idea how to do that in IE, if it's even possible. Maybe someone else knows. Seems a bit redundant in Chrome considering it only supports the 1.0, heh, so I can't use Chrome as a tool to check what versions a server supports.
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I searched around and found this website for testing SSL security on servers:
    https://www.ssllabs.com/ssldb/index.html

    Testing on wilderssecurity.com shows it only supports 1.0, and doesn't support 1.1 or 1.2

    Going to go through some sites and test them, seems like a very useful tool.

    edit: None of the important sites I browse support it (Bank, PayPal), which goes to show, unfortunately, there's not much left that we can do about it. After enabling 1.1 and 1.2 it's simply out of our hands.
     
    Last edited: Sep 20, 2011
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    *

    @ funkydude

    Thanks for the https://www.ssllabs.com/ssldb/index.html link :thumb:

    HTTPS hotmail got 88 https://www.ssllabs.com/ssldb/analyze.html?d=https://login.live.com/login.srf? Other ordinary sites got 97/98 ?

    Oops :p

    w.gif

    But hey, it's not our bank etc is it ;)
     
  15. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Looks like it.

    This is what my Chrome 14 stable has: Screenshot.png
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    From the Register link

    So how is the javascript slipped in?
     
  17. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Testing for SSL/TLS - OWASP.org
     
  18. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    One https site had this comment when I fed it into the link above:
    This server is vulnerable to MITM attacks because it supports renegotiation (more info here).
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    No idea what that means, seen it on a few sites, I don't think it ACTUALLY allows MITM. o_O

    Ignore the scores, for example wilders scores 0 for self-signing. Just concentrate on what the servers support. :)
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yep, I get a warning every time I visit wilders because of that.
     
  21. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    +1
    Wouldn't that be like an evil extension, modified profile, activeX or would it be code on a web page?
     
    Last edited: Sep 20, 2011
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    So maybe one of the Wilders admins can explain to us why Wilders doesn't support 1.1/1.2 and the complications/difficulties/reasoning behind doing so.
     
  23. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Here is a description of the attack and how it works:

    http://news.ycombinator.com/item?id=3015498
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Looks like I'm safe.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    LOL!!
     
Loading...
Thread Status:
Not open for further replies.