Related Posts Plugin for WordPress, Blogger...

Hackers break the SSL encryption used by millions of sites

Posted by VdoCity Tuesday, September 20, 2011




The researchers found that encryption is supposed to protect us while surfing the web is fully exploited by hackers with the know-how.

Thai Duong and Juliano Rizzo plan to demonstrate a proof of concept code which shows that SSL is not as secure as everyone thought they were.

The researchers say their browser exploit against SSL / TLS code, or beast, it will show the world that any of the protocols before TLS 1.1 encryption is vulnerable and can be deciphered fairly easily.

They'll try to decipher an authentication cookie used to log into a PayPal account made, which will reduce the world's faith in one of the founding blocks of Internet security.

Although subsequent protocols such as TLS 1.1 and 1. 2 did not display the same weaknesses, these versions have not yet been implemented in web sites and navigation applications, which means that the most popular Web sites are not protected.

The algorithm was established in the form of a JavaScript that intercepts encrypted cookies by websites transferred during the authentication process.

"BEAST is different from most attacks against HTTPS publication," said Duong.

"While other attacks focus on the ownership of the authenticity of SSL, the beast attacks the confidentiality of the protocol. For all we know, the beast implements the first attack that actually decrypts HTTPS requests."

What until now has been considered more of a theoretical weakness has become a real thing that puts us all in danger. BEAST is supposed to decrypt the authentication cookie used to access a PayPal account in 10 minutes, which is much lower than anyone would expect.

Why not web site developers and browser to do something about it, mainly because TLS 1.1 is available since 2006?

In order to efficiently update all security protocols, the process should be done by all the key players at a time, otherwise every time you try a solution incompatibilities that prevent applications based on the old system work.

Of all the browsers available today, the only opera implements TLS 1.2 by default, while Internet Explorer technology is there, but lies dormant, waiting to be activated manually.

Google Chrome and Mozilla Firefox seem to be the last in this race, because they seem to be waiting for each other to start the run.

0 comments

Post a Comment