Tuesday, September 20, 2011

SSL 3.0 / TLS 1.0 have been cracked, this is a big deal

Ever go to a website and see that little lock in the corner of the window assuring you that the traffic is encrypted and therefore secure? Well its not anymore. Not even on your bank's website...

From the article:
Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

De-Nerded - A very large portion (yes even the ones you think are above this) of websites that use this particular encryption are now vulnerable. Run and hide, hide your kids hide your wife. There are newer versions of TLS (v1.1 and v1.2 that aren't vulnerable to this flaw, but they remain unsupported by many sites and browsers). Stay tuned for how this will pan out.

Source -> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

No comments:

Post a Comment