On 23.09.2011 04:36, Paul B. Gallagher wrote: --- Original Message ---
> HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES > ====================================================== > Beware of BEAST decrypting secret PayPal cookies > > By Dan Goodin in San Francisco > Posted in ID, 19th September 2011 21:10 GMT > > Researchers have discovered a serious weakness in virtually all websites > protected by the secure sockets layer protocol that allows attackers to > silently decrypt data that's passing between a webserver and an end-user > browser. > > The vulnerability resides in versions 1.0 and earlier of TLS, or > transport layer security, the successor to the secure sockets layer > technology that serves as the internet's foundation of trust. Although > versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost > entirely unsupported in browsers and websites alike, making encrypted > transactions on PayPal, GMail, and just about every other website > vulnerable to eavesdropping by hackers who are able to control the > connection between the end user and the website he's visiting. > > At the Ekoparty security conference in Buenos Aires later this week, > researchers Thai Duong and Juliano Rizzo plan to demonstrate > proof-of-concept code called BEAST, which is short for Browser Exploit > Against SSL/TLS. The stealthy piece of JavaScript works with a network > sniffer to decrypt encrypted cookies a targeted website uses to grant > access to restricted user accounts. The exploit works even against sites > that use HSTS, or HTTP Strict Transport Security, which prevents certain > pages from loading unless they're protected by SSL. > > The demo will decrypt an authentication cookie used to access a PayPal > account, Duong said. Two days after this article was first published, > Google released a developer version of its Chrome browser designed to > thwart the attack. > > ... > > Full article (Mozilla stuff on p. 2): > <http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/> > See bug https://bugzilla.mozilla.org/show_bug.cgi?id=480514 And an article from the ISC: http://www.dshield.org/diary.html?storyid=11629 -- *Jay Garcia - Netscape Champion* www.ufaq.org Netscape - Firefox - SeaMonkey - Thunderbird _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
