HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES
======================================================
Beware of BEAST decrypting secret PayPal cookies
By Dan Goodin in San Francisco
Posted in ID, 19th September 2011 21:10 GMT
Researchers have discovered a serious weakness in virtually all websites
protected by the secure sockets layer protocol that allows attackers to
silently decrypt data that's passing between a webserver and an end-user
browser.
The vulnerability resides in versions 1.0 and earlier of TLS, or
transport layer security, the successor to the secure sockets layer
technology that serves as the internet's foundation of trust. Although
versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost
entirely unsupported in browsers and websites alike, making encrypted
transactions on PayPal, GMail, and just about every other website
vulnerable to eavesdropping by hackers who are able to control the
connection between the end user and the website he's visiting.
At the Ekoparty security conference in Buenos Aires later this week,
researchers Thai Duong and Juliano Rizzo plan to demonstrate
proof-of-concept code called BEAST, which is short for Browser Exploit
Against SSL/TLS. The stealthy piece of JavaScript works with a network
sniffer to decrypt encrypted cookies a targeted website uses to grant
access to restricted user accounts. The exploit works even against sites
that use HSTS, or HTTP Strict Transport Security, which prevents certain
pages from loading unless they're protected by SSL.
The demo will decrypt an authentication cookie used to access a PayPal
account, Duong said. Two days after this article was first published,
Google released a developer version of its Chrome browser designed to
thwart the attack.
...
Full article (Mozilla stuff on p. 2):
<http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/>
--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey