Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Hackers break SSL encryption used by millions of sites

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » General Discussion Donate to DU
 
Vehl Donating Member (1000+ posts) Send PM | Profile | Ignore Tue Sep-20-11 11:39 AM
Original message
Hackers break SSL encryption used by millions of sites
Edited on Tue Sep-20-11 11:43 AM by Vehl

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.



http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/


This is huge guys...pretty much affects Millions of sites which use this tech daily..in fact these sites depend on it. Even though versions 1.1 and 1.2 are immune, its going to take a while to upgrade all the ones running the old versions to the new ones.

It just goes on to show that digital security , even though theoretically safe (in certain instances) is not without loopholes when implemented.




Printer Friendly | Permalink |  | Top
sam11111 Donating Member (638 posts) Send PM | Profile | Ignore Tue Sep-20-11 12:08 PM
Response to Original message
1. Gmail? transactions using it? people move money via Gmail?
Edited on Tue Sep-20-11 12:21 PM by sam11111
I wonder how

Also haven't all heard "email is not secure" for years now?

Aside: any nations put highly expensive titanic bigbrain - Oxford dept of computer science- designed. security suites on the main Backbones?

Not just the cheapo suites we can put on home PC's?

Esp is any Backbone approach done by LW nations not beholden to profitguided models of the net?
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Fri Dec 27th 2024, 04:17 AM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » General Discussion Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC