Yup... Sadly it's true... the thing is... everywhere on the net there *is* alternative... for TLS 1.0 there is also 1.1 & 1.2 but... nobody implements it (except MS(sic!) and Opera)... seems to be similar as situation with IPv4 and IPv6 'nobody cares'.
Greetings, Jędrzej Nowak On Tue, Sep 20, 2011 at 11:09 AM, Alvaro Lopez Ortega <[email protected]> wrote: > Folks, > You ought to be aware of this if you site relays on TLS 1.0: > "... The vulnerability resides in versions 1.0 and earlier of TLS, or > transport layer security, the successor to the secure sockets layer > technology that serves as the internet's foundation of trust. Although > versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely > unsupported in browsers and websites alike." > "... requires about two seconds to decrypt each byte of an encrypted cookie. > That means authentication cookies of 1,000 to 2,000 characters long will > still take a minimum of a half hour for their PayPal attack to work. > Nonetheless, the technique poses a threat to millions of websites that use > earlier versions of TLS" > http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ > > -- > Greetings, alo. > http://www.alobbs.com/ > > _______________________________________________ > Cherokee mailing list > [email protected] > http://lists.octality.com/listinfo/cherokee > > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
