Hackers break SSL encryption used by millions of sites

[Jack]

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

(Read more)

 

[Hungry Man]

Yep. Chrome and Firefox don't support TLS 1.1+ and it's off by default in every other browser I believe.

Just don't use a public network... that's the best defense.

 

[Valentin N]

Yep. Chrome and Firefox don't support TLS 1.1+ and it's off by default in every other browser I believe.

Just don't use a public network... that's the best defense.

Comodo Trust Connect which is for free, will solve the public network problem in case some necessarily needs the internet. A good firewall will also give additional protection.

 

[Deleted member 178]

Comodo Trust Connect which is for free,

still the same amount of free data? if yes it is not enough for me, they should extend it.

 

[jamescv7]

Agree as firewall will give you protection against hackers trying to intrude from the user's computer.

 

[Valentin N]

Comodo Trust Connect which is for free,

still the same amount of free data? if yes it is not enough for me, they should extend it.

It's still the same (10GB/month). If you have partner or parents ask them to make one and then you have 20-40GB/month as max for a year.

 

[Hungry Man]

A fix is out for Chrome. It does not enable support for 1.1+ but instead makes 1.0 stronger. In my opinion this is a FAR better solution because most websites do not use 1.1+.

That said, they should really get on 1.1+.

 

[Deleted member 178]

It's still the same (10GB/month). If you have partner or parents ask them to make one and then you have 20-40GB/month as max for a year.

thanks for the info, will do it for my Girlfriend too hahaha

 

[Valentin N]

It's still the same (10GB/month). If you have partner or parents ask them to make one and then you have 20-40GB/month as max for a year.

thanks for the info, will do it for my Girlfriend too hahaha

no problem I don't know how it is after a year, so you need to see what happens after a year. The server are not loaded so you'll have no lags or so