New
#10
From what I could see, the only workarounds are for servers, not clients. Therefore, most of us are left to suck our thumbs.
Researchers Break Open SSL/TLS Decryption
-
-
New #11
Firefox may kill Java
Firefox devs mull dumping Java to stop BEAST attacks
Firefox devs mull dumping Java to stop BEAST attacks • The Register
Mozilla discussion at this link.
https://bugzilla.mozilla.org/show_bug.cgi?id=689661
I have not had Java on my system for Months and have only problems with a few sites. For those that use Java you can check out QuickJava plugin to turn Java on/off as needed in Firefox.Short for Browser Exploit Against SSL/TLS, BEAST injects JavaScript into an SSL session to recover secret information that's transmitted repeatedly in a predictable location in the data stream. For Friday's implementation of BEAST to work, Duong and Rizzo had to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one internet domain can't be read or modified by a different address.
The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser.
Support homepage of QuickJava: The Firefox Addon
Jim
-
New #12
Thanks for the suggestion PhoneMan. I have installed and plan to disable Java/Javascript only when using an HTTPS site.
-
New #13
Not sure that would work as the Java applet can be introduced at anytime the attacker has ManInTheMiddle access to your system. I would turn off Java always and then turn it on if you hit a site that needs it. Read the Mozilla discussion for more information on the attack. Also JavaScript (not associated with Java except the name) is used by many sites and turning it off may break a lot more sites.
Jim
Quote
Related Discussions