Hackers break SSL encryption used by millions of sites

[Chiefcrowe]

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

 

[the182guy]

Thanks for the link.

 

[Gamingphreek]

As of right now, only Opera 10 and Internet Explorer 8 and above support TLS 1.1 and 1.2.

Firefox and Chrome support 1.0.

Safari (Apple's security is pitiful) simply says it supports TLS... doesn't say which version.

 

[Chiefcrowe]

Hmm that is interesting. i wonder when firefox will extend the TLS support?

 

[dawks]

Should be noted this is a "man-in-the-middle" attack. Thus a hacker would need control of some portion of the network between you and the server your connecting to. Pretty rare occurrence.

 

[MtnMan]

Should be noted this is a "man-in-the-middle" attack. Thus a hacker would need control of some portion of the network between you and the server your connecting to. Pretty rare occurrence.

:thumbsup: And they have to be in the right place at the right time, making their chances small.

Additionally XP does not provide support for TLS 1.1
Many websites do not yet support TLS 1.1

If there is a caution in this........... stay off wireless connections you don't trust.

 

[General Kenobi]

Yeah, you'll be safe as long as you retain full control of your home network.

 

[Gamingphreek]

:thumbsup: And they have to be in the right place at the right time, making their chances small.

Additionally XP does not provide support for TLS 1.1
Many websites do not yet support TLS 1.1

If there is a caution in this........... stay off wireless connections you don't trust.

The OS does not determine whether SSL is supported.

Additionally you don't necessarily need control over a portion of the network. You can intercept the packets and relay them on towards the destination.

-Kevin

 

[MtnMan]

W7

XP

:whiste:

 

[Gamingphreek]

Those settings only govern Internet Explorer and are listed there because Internet Explorer is integrated into the Windows Shell. The OS has no idea about SSL/TLS.

 

[Fox5]

Should be noted this is a "man-in-the-middle" attack. Thus a hacker would need control of some portion of the network between you and the server your connecting to. Pretty rare occurrence.

Unless it's your government, ISP, or employer trying to spy on you. China also demonstrated the ability to hijack network traffic about a year or two ago.
Of course, if the group you rely on for your Internet connection is trying to MITM you, there really isn't much you can do. In theory, you could set up an IPSec connection between yourself and the destination, but it's not like you can do that with Amazon or whomever you want.

TLS1.0 has been known to be insecure for (at least) nearly 2 years. A lot of Linux vendors started turning it off in their distros once it was provably exploitable.

 

[Wangstang]

While traveling last week, I noticed several wireless network connections were available in my hotel. I couldn't help but think that in a setting like a hotel would be a target rich environment for hackers exploiting this vulnerablity. With so many naive to internet security folks in the US who do online financial transactions/look at bank info on various electronic devices, I can see them just clicking the "connect to available wireless network" option without thinking even once about the risk involved.

Wes

 

[WildHorse]

SSL is easily cracked, so HTTPS ought not be relied upon for any measure of security. Finding these "how-to's" mostly ON YOUTUBE took me only few seconds, practically without even trying, and I didn't even search google, which MAKES THE POINT: ANYBODY CAN DO IT, the "how to" is all over YouTube, SO DO NOT TRUST HTTPS for any real security:

Cracking SSH Logins
Ssl And The Future Of Authenticity (Blackhat 2011)
SSL vs. The Universe | Cracking an SSL Certificate
Hack Tutorial: Sniffing SSL Passwords
Download hacking tools All In One pack with full instruction
SSL Hacking
Hacking and decrypting SSL
How to: Snifff SSL / HTTPS (sslstrip)
Sniffing https with ettercap
Cracking A Simple Crackme

(p.s. How To Hack Into Someones Webcam Updated Instructions) [so maybe put tape over the camera staring at you on your laptop?]

 

[Gamingphreek]

You are vastly oversimplifying the process. A bunch of Youtube videos doesn't mean it is easy...

-GP

 

[WildHorse]

You are vastly oversimplifying the process. A bunch of Youtube videos doesn't mean it is easy...

-GP

Yes, you're right, but remember, "It's easy when you know how."

 

[Gamingphreek]

Yes, you're right, but remember, "It's easy when you know how."

Not with SSL3.0 or TLS1.0 - BEAST is the first major exploit to really affect it.

SSL1.0 and 2.0 are obviously vulnerable. TLS 1.1 and 1.2 are still secure.

-GP