Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Researchers Break Open SSL/TLS Decryption

20 Sep 2011   #1
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 
Researchers Break Open SSL/TLS Decryption

Quote:
Cynics say that the world runs on money, but money wouldnít run as smoothly on the World Wide Web if it wasnít for SSL/TLS. Itís the go-to encryption protocol for a lot of the Internet, and itís supported by every major browser and many of the top websites around. But how secure is it? A pair of security researchers plan on demonstrating a serious TLS security flaw at the Ekoparty security conference later this week, and they plan on doing it with a bang: by decrypting a Paypal authentication cookie.
Read more at: Maximum PC | Researchers Break Open SSL/TLS Decryption

My System SpecsSystem Spec
.

22 Sep 2011   #2

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

My System SpecsSystem Spec
26 Sep 2011   #3

xxxxxxxxxxxxxxxxxxxxxxx
 
 

My System SpecsSystem Spec
.


26 Sep 2011   #4

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

TLS 1.0 has been considered antiquated for some time now. I think that I read about it being cracked quite some time ago, but the part about it being used in cookies throws me. I'm guessing that it would be the same as code used elsewhere, but I didn't consider the fact that cookies would be using TLS 1.0, instead of something more advanced. The article blames browsers, but I know that Opera can use any of the TLS codes, depending on what is being used by the websites. That makes me wonder if the problem is really with the browsers or not? If PayPal is using old code, they better change it quickly, because I use PayPal alot, but that may change if they can't write their cookies better.
My System SpecsSystem Spec
26 Sep 2011   #5

Windows 7 Professional x64
 
 

Quote   Quote: Originally Posted by seekermeister View Post
TLS 1.0 has been considered antiquated for some time now. I think that I read about it being cracked quite some time ago, but the part about it being used in cookies throws me. I'm guessing that it would be the same as code used elsewhere, but I didn't consider the fact that cookies would be using TLS 1.0, instead of something more advanced. The article blames browsers, but I know that Opera can use any of the TLS codes, depending on what is being used by the websites. That makes me wonder if the problem is really with the browsers or not? If PayPal is using old code, they better change it quickly, because I use PayPal alot, but that may change if they can't write their cookies better.
i agree. i use opera and paypal as well
My System SpecsSystem Spec
26 Sep 2011   #6

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

I'm somewhat confused on this, because I just checked Opera's Security Protocols, and found that TLS 1.1 and 1.2 were not enabled by default. I went ahead and enabled them, but that didn't change anything in the Details window. I'm considering disabling TLS 1.0 altogether, but since it was the default setting, I'm not sure that things would work properly without it. How would one know precisely which protocol was actually being used at any given time?
My System SpecsSystem Spec
26 Sep 2011   #7

Windows 7 x64 Ultimate
 
 

Quote   Quote: Originally Posted by seekermeister View Post
TLS 1.0 has been considered antiquated for some time now. I think that I read about it being cracked quite some time ago, but the part about it being used in cookies throws me. I'm guessing that it would be the same as code used elsewhere, but I didn't consider the fact that cookies would be using TLS 1.0, instead of something more advanced. The article blames browsers, but I know that Opera can use any of the TLS codes, depending on what is being used by the websites. That makes me wonder if the problem is really with the browsers or not? If PayPal is using old code, they better change it quickly, because I use PayPal alot, but that may change if they can't write their cookies better.
I'm betting it'll change pretty quickly after the "stunt" is shown off.

IE9 also has TLS 1.0 selected and 1.1/1.2 deselected.

Given that that seems to be the default settings, switching away from 1.0 may completely break everything since no ones browsers supports anything else by default.

One hopes that there might be some negotiation involved so that individuals "in the know" could select 1.1 and 1.2 and use it where available... But as things look today, avoiding 1.0 probably won't be possible for years :/ (Well other than throwing the computer in the bin)
My System SpecsSystem Spec
26 Sep 2011   #8

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

The part that seems odd, is that I could almost swear that in older versions of Opera, that the defaults were reversed, with 1.1 & 1.2 being enabled, and 1.0 not. Maybe my memory is worse than I thought.
My System SpecsSystem Spec
26 Sep 2011   #9

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

This quote from TD7BS's link seems to confirm that simply changing the browser's defaults wouldn't help much, and possibly hurt:

Quote:
According to analysis by security specialist Thierry Zoller, Chrome and Firefox use the Network Security Services (NSS), which only support TLS 1.0. Windows Vista, XP, 2000 and Server 2003 as well as Server 2008 are also incapable of using TLS 1.1 by default. Only Windows 7 and Server 2008 R2 can use TLS 1.1. Opera 10, on the other hand, even works with TLS 1.2 servers. However, it is no use changing the browser configuration if the server doesn't support the standard.
Sounds as though Firefox users have the most to be concerned about, since the article also said that Chrome was working on some kind of work around.
My System SpecsSystem Spec
27 Sep 2011   #10

Windows 7 Ultimate x64 SP1
 
 

My System SpecsSystem Spec
Reply

 Researchers Break Open SSL/TLS Decryption




Thread Tools



Similar help and support threads for2: Researchers Break Open SSL/TLS Decryption
Thread Forum
Windows EFS files unreadible after interrupted decryption process General Discussion
Bitlocker decryption stuck at 1% (despite use of -resume and -off) System Security
The parameter is incorrect while using decryption drives General Discussion
EFS Decryption Access Denied General Discussion
Bitlocker Decryption On Win 7 Pro System Security
Solved Bitlocker Decryption stuck at 92% remaining System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:14 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33