Windows 7: Researchers Break Open SSL/TLS Decryption

Brink · 20 Sep 2011

Quote:

Cynics say that the world runs on money, but money wouldn’t run as smoothly on the World Wide Web if it wasn’t for SSL/TLS. It’s the go-to encryption protocol for a lot of the Internet, and it’s supported by every major browser and many of the top websites around. But how secure is it? A pair of security researchers plan on demonstrating a serious TLS security flaw at the Ekoparty security conference later this week, and they plan on doing it with a bang: by decrypting a Paypal authentication cookie.

Read more at: Maximum PC | Researchers Break Open SSL/TLS Decryption

Anak · 22 Sep 2011

Just read another report from ars technia:
New JavaScript hacking tool can intercept PayPal, other secure sessions

TD7BA · 26 Sep 2011

Some more recent news can be found here: First solutions for SSL/TLS vulnerability - The H Security: News and Features

seekermeister · 26 Sep 2011

TLS 1.0 has been considered antiquated for some time now. I think that I read about it being cracked quite some time ago, but the part about it being used in cookies throws me. I'm guessing that it would be the same as code used elsewhere, but I didn't consider the fact that cookies would be using TLS 1.0, instead of something more advanced. The article blames browsers, but I know that Opera can use any of the TLS codes, depending on what is being used by the websites. That makes me wonder if the problem is really with the browsers or not? If PayPal is using old code, they better change it quickly, because I use PayPal alot, but that may change if they can't write their cookies better.

Big Tom · 26 Sep 2011

Quote: Originally Posted by seekermeister

TLS 1.0 has been considered antiquated for some time now. I think that I read about it being cracked quite some time ago, but the part about it being used in cookies throws me. I'm guessing that it would be the same as code used elsewhere, but I didn't consider the fact that cookies would be using TLS 1.0, instead of something more advanced. The article blames browsers, but I know that Opera can use any of the TLS codes, depending on what is being used by the websites. That makes me wonder if the problem is really with the browsers or not? If PayPal is using old code, they better change it quickly, because I use PayPal alot, but that may change if they can't write their cookies better.

i agree. i use opera and paypal as well

seekermeister · 26 Sep 2011

I'm somewhat confused on this, because I just checked Opera's Security Protocols, and found that TLS 1.1 and 1.2 were not enabled by default. I went ahead and enabled them, but that didn't change anything in the Details window. I'm considering disabling TLS 1.0 altogether, but since it was the default setting, I'm not sure that things would work properly without it. How would one know precisely which protocol was actually being used at any given time?

fseal · 26 Sep 2011

Quote: Originally Posted by seekermeister

TLS 1.0 has been considered antiquated for some time now. I think that I read about it being cracked quite some time ago, but the part about it being used in cookies throws me. I'm guessing that it would be the same as code used elsewhere, but I didn't consider the fact that cookies would be using TLS 1.0, instead of something more advanced. The article blames browsers, but I know that Opera can use any of the TLS codes, depending on what is being used by the websites. That makes me wonder if the problem is really with the browsers or not? If PayPal is using old code, they better change it quickly, because I use PayPal alot, but that may change if they can't write their cookies better.

I'm betting it'll change pretty quickly after the "stunt" is shown off.

IE9 also has TLS 1.0 selected and 1.1/1.2 deselected.

Given that that seems to be the default settings, switching away from 1.0 may completely break everything since no ones browsers supports anything else by default.

One hopes that there might be some negotiation involved so that individuals "in the know" could select 1.1 and 1.2 and use it where available... But as things look today, avoiding 1.0 probably won't be possible for years :/ (Well other than throwing the computer in the bin)

seekermeister · 26 Sep 2011

The part that seems odd, is that I could almost swear that in older versions of Opera, that the defaults were reversed, with 1.1 & 1.2 being enabled, and 1.0 not. Maybe my memory is worse than I thought.

seekermeister · 26 Sep 2011

This quote from TD7BS's link seems to confirm that simply changing the browser's defaults wouldn't help much, and possibly hurt:

Quote:

According to analysis by security specialist Thierry Zoller, Chrome and Firefox use the Network Security Services (NSS), which only support TLS 1.0. Windows Vista, XP, 2000 and Server 2003 as well as Server 2008 are also incapable of using TLS 1.1 by default. Only Windows 7 and Server 2008 R2 can use TLS 1.1. Opera 10, on the other hand, even works with TLS 1.2 servers. However, it is no use changing the browser configuration if the server doesn't support the standard.

Sounds as though Firefox users have the most to be concerned about, since the article also said that Chrome was working on some kind of work around.

Airbot · 27 Sep 2011

Microsoft Security Advisory (2588513): Vulnerability in SSL/TLS Could Allow Information Disclosure

Windows 7: Researchers Break Open SSL/TLS Decryption

Researchers Break Open SSL/TLS Decryption problems?