Hackers Break Browser SSL/TLS Encryption

Posted by Unknown on Tuesday September 20, 2011 @07:17AM from the only-thoughtcriminals-use-encryption dept.

First time accepted submitter CaVp writes with an article in The Register about an exploit that appears to affect all browsers and can decrypt an active TLS session. From the article: "Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser." A full disclosure is scheduled for Friday September 23rd at the Ekoparty conference. Note that this only affects SSL 2.0 and TLS 1.0; unfortunately, most web servers are misconfigured to still accept SSL 2.0, and TLS 1.1 and 1.2 have seen limited deployment. The practicality of the attack remains to be determined (for one, it isn't very fast — but if the intent is just to decrypt the data for later use, that isn't an impediment).

1 of 110 comments (clear)

Min score:

Reason:

Sort:

Re:Javascript by chrb · 2011-09-20 07:37 · Score: 5, Informative

They can. Not only is Javascript injection possible, it has already been done by at least one malicious government: "Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports."