PaulSpoerry.com

Social Media, technology, and geeky stuff for your brain.

  • Home
  • About
    • Privacy Policy
  • Categories
    • Google+ Posts
    • Site news
    • Tech
      • Android
      • Apple
      • Chrome
      • Gadgets
      • Hacking
      • Linux
      • OSX
      • Privacy
      • Web Life
        • Bittorrent
        • Facebook
        • FireFox
        • GMail
        • Google
        • Google+
        • Twitter
        • WordPress
        • Windows
          • Windows 7
    • Google+: Getting Started Guides
    • Games
    • Meditation
    • Politics
    • Science
    • That’s freakin hilarious
  • Code
    • FreeImageZoom
    • Post Editor for Google+™
    • The Plus Editor
  • Contact
You are here: Home / Tech / Chrome / SSL Encryption that Protects Almost the Entire Internet Broken by Researchers

SSL Encryption that Protects Almost the Entire Internet Broken by Researchers

September 20, 2011 by Paul Spoerry Leave a Comment

Proof of concept code BEAST, which is short for Browser Exploit Against SSL/TLS, that can defeat SSL on an address protected by the HTTPS prefix… which is like every secure site on the Internet.

Researchers Thai Duong and Juliano Rizzo will demonstrate BEAST to decrypt an authentication cookie used to access a PayPal account. They claim to have figured out a way to defeat TLS 1.0/SSL 3.0 by breaking the underlying encryption it uses, allowing eavesdropping on any HTTPS connection. If this is true then your secure connection to your bank, Facebook account, Amazon, Gmail, secure Instant Messaging and even VPN’s (Virtual Private Networks) is potentially worthless.

TLS/SSL breakdownInitial reports suggested that BEAST requires about two seconds to decrypt each byte of an encrypted cookie, which essentially meant that a typical attack would take about a half hour. However, the researchers now claim to have optimized the code and can accomplish the same feat in under 10 minutes.

BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it’s a legitimate threat.

BEAST only works against TLS (transport layer security) version 1.0 or earlier… the successor to the secure sockets layer technology that provides secure communication between your web browser and an Internet server. TLS version 1.1 and 1.2 do not suffer from the same security vulnerability. Sadly, neither of those are widely implementing in any way because many browsers and sites do not support them.

So why don’t we just start using a later version of TLS? It’s a chicken or the egg scenario. Most browsers don’t support the later versions so websites fail to employ them. Because websites fail to employ them, most browsers don’t implement it. Because the majority of websites and browsers only support SSL 3.0 and TLS 1.0, if somebody switches their sites to only support 1.1 or 1.2 they loses much of their traffic… and vice versa.

Read more at The Register

Add Paul Spoerry on Google+

Filed Under: Chrome, Facebook, FireFox, GMail, Hacking, Privacy, Tech Tagged With: amazon, banks, encryption, facebook, hacker, Hacking, paypal, ssl, tls

About Paul Spoerry

I’m a groovy cat who’s into technology, Eastern Thought, and house music. I’m a proud and dedicated father to the coolest little guy on the planet (seriously, I'm NOT biased). I’m fascinated by ninjas, the Internet, and anybody who can balance objects on their nose for long periods of time.

I have a utility belt full of programming languages and a database of all my knowledge on databases... I practice code fu. Oh, I've also done actual Kung Fu, and have a black belt in Tae Kwon Do.

I run. I meditate. I dance. I blog at PaulSpoerry.com, tweet @PaulSpoerry, and I'm here on Google+.

I'm currently work for IBM developing web enabled insurance applications for IBM and support and develop a non-profit called The LittleBigFund.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright © 2023 · Epik on Genesis Framework · WordPress · Log in