Jump to content

Hackers Break Ssl Encryption


CanadianTaco
 Share

Recommended Posts

Article I found via lifehacker. Makes for an interesting read:

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

tl;dr/first paragraph:

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.
Edited by CanadianTaco
Link to comment
Share on other sites

"Although TLS 1.1 has been available since 2006 and isn't susceptible to BEAST's chosen plaintext attack, virtually all SSL connections rely on the vulnerable TLS 1.0, according to a recent research from security firm Qualys that analyzed the SSL offerings of the top 1 million internet addresses."

So by using the latest version of the TLS protocol Beast won't be a threat, since it only works with TLS version 1.0. When will organizations learn to keep their IT security up to date.

Edited by Infiltrator
Link to comment
Share on other sites

something like 99% of the web still sues and doesn't enforce TLS 1.2 and later. Also, many browsers implement the later versions today, so they can't say its a market issue. Browsers are ready, its the corporations who don't want to shell out money for new certificate chains, since I imagine it would require new certs as well.

Link to comment
Share on other sites

something like 99% of the web still sues and doesn't enforce TLS 1.2 and later. Also, many browsers implement the later versions today, so they can't say its a market issue. Browsers are ready, its the corporations who don't want to shell out money for new certificate chains, since I imagine it would require new certs as well.

It always comes down to money and its one of the reasons why many companies and organizations fall behind in the IT security, they don't want to invest or spend money.

Link to comment
Share on other sites

something like 99% of the web still sues and doesn't enforce TLS 1.2 and later. Also, many browsers implement the later versions today, so they can't say its a market issue. Browsers are ready, its the corporations who don't want to shell out money for new certificate chains, since I imagine it would require new certs as well.

From skimming the RFC's I don't think new certificates would be needed as TLS 1.2 requires a X.509v3 certificate just like TLS 1.0 (So if they are doing TLS 1.0 their certificate will most likely be suitable for TLS 1.2).

The big limiting factor is that openSSL doesn't support TLS 1.1 or TLS 1.2 yet. You can get support for apache for TLS 1.2 thorough gnutls but for most sysadmins that is a lot of work. The good news is that I now expect openSSL to support TLS 1.2 in the not to distant future.

Link to comment
Share on other sites

Eh, ssl has been vulnerable for years.

You can create a firesheep script (or use ferret) as well as sslstrip and easily jack session cookies from paypal.

I've done it several times as a POC.

HTTPS wasn't directly vulnerable, just the entire infrastructure around it. They just exploited the fact that most communications don't use HTTPS and so you can manipulate them easily and avoid any links into HTTPS and steal cookies/sessionIds from the http stream.

The new attack retrieves plain text from the TLS1.0 cipher stream. Of course we haven't seen the new attack yet, but is reported to require some JavaScript to be run on the client browser as well as a packet sniff intercepting the traffic. The reports I have seen differ between mentioning a 30 minute and a 10 minute processing time to retrieve enough plain text to expose the cookies.

Link to comment
Share on other sites

This requires for hackers to be on the same network that the people they want to attack right?

Not necessarily, but that can also be done with Trojan horses or viruses by infecting the system.

Edited by Infiltrator
Link to comment
Share on other sites

  • 2 weeks later...

Not necessarily, but that can also be done with Trojan horses or viruses by infecting the system.

another idea (even more dangerous i think), is someone in control of network/internet infrastructure doing this. oppressive governments for example.

Link to comment
Share on other sites

another idea (even more dangerous i think), is someone in control of network/internet infrastructure doing this. oppressive governments for example.

one word. diginotar.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...