Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Hackers break SSL encryption used by millions of sites


Top Poster

Status: Offline
Posts: 3757
Date:
Hackers break SSL encryption used by millions of sites


This could be a biggie!

Hackers break SSL encryption used by millions of sites

Beware of BEAST decrypting secret PayPal cookies

By Dan Goodin in San Francisco

Posted in ID, 19th September 2011 21:10 GMT

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

Like a cryptographic Trojan horse...

 

read the rest



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

a little more on this...



__________________

Exposing the sleazery of ebaY and PayPal

 



Top Poster

Status: Offline
Posts: 3757
Date:

Well here is a live video BEAST demo.  Looks like the web may become an even riskier place. As for Payapl specifically, if this thing causes grief, look for more money holds and siezures, for more, yet less defined, reasons. (if that's possible --LoLz)



__________________

Exposing the sleazery of ebaY and PayPal

 

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard