B. SSL/TLS already supports many methods/encryption algorithms. If everyone would be easiliy be able to install newer software instead of having to support old, we'd all be able to turn off the older SSL/TLS methods. But as we can't, the other solution is to setup to server to prefer an other older method, which uses RC4 instead of CBC, which this tries to attack. The RC4-based method is also safe.
And for those webdevelopers who complained about Opera and Mozilla disabled support of the older websocket protocol. If they didn't websockets could have potentially be used for this attack as well instead of the Java-applet which is used for this attack.
Well, there are a few thing you might not have thought of:
-most people really don't need a fast machine. - and a lot of people have a device they don't want to plugin in every momeny. Like for example an tablet-device or a laptop they might be using when in the garden.
The whole IE6-problem and now probably IE-whatever on Windows XP (there is only IE9 for Vista and higher) means things had to be compatible for far to long, without any swift upgrade path.
This has let to stagnation of the language and many related API.
That is where the real problem is, the language had no way to evolve.
Just let it evolve and finally solve the old problems that exists.
Many, many webdevelopers already use just the 'good parts' and it has already given us a lot of new ideas and piece by piece these new ideas are added to the browsers with a small compatibility layer for those that do not support it. Just an example: native json support.
The point I'm trying to make is, the version number of a webserver does not mean that TLS/1.1 or TLS/1.2 will actually be used when your browser connects to it.
As I pointed out before, as an example: IIS (the Microsoft webserver on Windows Server) has the ability to use TLS/1.1 and TLS/1.2 but it is not enabled by default.
Just that case makes it pretty clear that a version number alone does not tell you anything.
It doesn't matter if your browser support TLS/20.234 or whatever, if the server does not support it. It can't use it.
Yes, but what does a Google query tell you about the website (thus server) you are connecting to ?
The Google query tells you certain versions of Apache do support TLS/1.1 and TLS/1.2.
It does not tell you the Apache of the website you are connecting to has that version of Apache installed.
Even if it did, it does not tell you what version of OpenSSL is installed. You can compile a new version of Apache with an old version of OpenSSL just fine. And people do (!)
"James Gosling, the father of Java who left Sun soon after it was acquired by Oracle, writes on his blog that Oracle was eying the Java patents as part of the Sun acquisition:
Oracle finally filed a patent lawsuit against Google. Not a big surprise. During the integration meetings between Sun and Oracle where we were being grilled about the patent situation between Sun and Google, we could see the Oracle lawyer’s eyes sparkle. Filing patent suits was never in Sun’s genetic code. Alas.
I hope to avoid getting dragged into the fray: they only picked one of my patents (RE38,104) to sue over."
Actually you don't, here is a short list of things from the top of my head: 1. there could be a HTTP-reverse proxy in front handling the HTTPS, so even if the HTTP-header inside the HTTPS instream says it used webserver X. It does not mean your browser is talking directly to that HTTP-server 2. Even if it says: Apache it might not say what version. 3. For Apache it depends on the version of the OpenSSL-library installed and the options need to be enabled. For Debian a default install of Debian stable should be fine as I understand it (haven't checked) 4. A fairly recent Apache with mod_ssl (which uses OpenSSL) like the one in Debian stable supports TSL/1.1, the previous stable does not. Debian stable also has the option to use mod_gnutls instead, it supports TLS/1.2 5. it has to be enabled on the server for it to work, this is the problem with IIS. It is off by default as I understand it (haven't checked)
This is what it says on the page: TLS 1.2 No TLS 1.1 No
But it obviously still does not tell you if _you_ are connected to a server with supports it and if client and server are using it right now.
Trust me, most don't support it.
The best and most simple way to make sure you are safe is: - close the browser (all existing HTTPS-connections are thus closed) - open the browser - only open a tab/window to the HTTPS-site and don't forget to type https:/// infront of it - and use that - when you are done - logout on the site - close the browser
Works fine with SSL/3.0 or TLS/1.0
Because what the attacker needs to do is through some other channel inject plain-text into the stream you are using to connect to the HTTPS-site.
The man-in-the-middle attacker does this by modifying a page loaded over HTTP that you loaded on a different page.
If all you have open is the one site, they can not do that.
Actually, Oracle might not have bought Sun if they could not sue Android:
" Miguel De Icaza has provided a very interesting insight into the case. His report has been confirmed by James Gosling, known as the father of Java who left Sun right after the merger. Icaza speculates that the potential to monetise on Java by suing Google was pitched by Jonathan Schwartz during Sun's sales talks with Oracle. Oh boy."
It is only solved for those websites that also support TLS/1.1 and/or TLS/1.2.
There is no GUI which displays what the server supports so you don't really know.
Also like IE8 or IE9 on Vista, Windows 7 and Windows 8 preview-or-whatever-it-is-called it is disabled by default.
As I understand it is disabled by default on IIS too.
Apache on Debian old-stable does not support TLS/1.1 on Debian stable it does. It is enabled too. You can get TLS/1.2 as well, if you install mod_gnutls instead of mod_ssl
And would you like Microsoft with their Windows 8 (App) Store and Intel to control your PC like it is an Apple iDevice ?: http://lwn.net/Articles/459569/
As I understand it, this is just VNC with small enhancements for ISO-boot and encryption, which makes it easier to deal with on many different platforms.
1. Attach cable to the desk at the edge but with enough to move the mouse around obviously. 2. keep the desk completely clean. Just a keyboard and mouse (my LCD-monitor is on a stand hanging over the desk).
That way there is nothing in the way.
Also supposedly, a clean desk means less distractions.
Slashdot Mirror
Tor it self is not vulnerable, but what about the webtraffic going over the Tor-channels ?
Does Tor route different TCP-connections to different destinations over the same Tor exit nodes ?
If not, I would think the Tor exit node can still attack you with this Man-in-the-middle attack.
B. SSL/TLS already supports many methods/encryption algorithms. If everyone would be easiliy be able to install newer software instead of having to support old, we'd all be able to turn off the older SSL/TLS methods. But as we can't, the other solution is to setup to server to prefer an other older method, which uses RC4 instead of CBC, which this tries to attack. The RC4-based method is also safe.
And for those webdevelopers who complained about Opera and Mozilla disabled support of the older websocket protocol. If they didn't websockets could have potentially be used for this attack as well instead of the Java-applet which is used for this attack.
Well, there are a few thing you might not have thought of:
-most people really don't need a fast machine.
- and a lot of people have a device they don't want to plugin in every momeny. Like for example an tablet-device or a laptop they might be using when in the garden.
Ohh, I didn't know that.
I haven't tried it for a while. When I use a Windows desktop, there usually is a real Linux-server nearby.
The whole IE6-problem and now probably IE-whatever on Windows XP (there is only IE9 for Vista and higher) means things had to be compatible for far to long, without any swift upgrade path.
This has let to stagnation of the language and many related API.
That is where the real problem is, the language had no way to evolve.
Just let it evolve and finally solve the old problems that exists.
Many, many webdevelopers already use just the 'good parts' and it has already given us a lot of new ideas and piece by piece these new ideas are added to the browsers with a small compatibility layer for those that do not support it. Just an example: native json support.
Fastest and most compatible way to run Linux programs on Windows (which doesn't even need any special hardware) ?
http://colinux.org/
The point I'm trying to make is, the version number of a webserver does not mean that TLS/1.1 or TLS/1.2 will actually be used when your browser connects to it.
As I pointed out before, as an example:
IIS (the Microsoft webserver on Windows Server) has the ability to use TLS/1.1 and TLS/1.2 but it is not enabled by default.
Just that case makes it pretty clear that a version number alone does not tell you anything.
It doesn't matter if your browser support TLS/20.234 or whatever, if the server does not support it. It can't use it.
We should probably just agree to disagree.
Yes, but what does a Google query tell you about the website (thus server) you are connecting to ?
The Google query tells you certain versions of Apache do support TLS/1.1 and TLS/1.2.
It does not tell you the Apache of the website you are connecting to has that version of Apache installed.
Even if it did, it does not tell you what version of OpenSSL is installed. You can compile a new version of Apache with an old version of OpenSSL just fine. And people do (!)
And this has no merit ?:
"James Gosling, the father of Java who left Sun soon after it was acquired by Oracle, writes on his blog that Oracle was eying the Java patents as part of the Sun acquisition:
Oracle finally filed a patent lawsuit against Google. Not a big surprise. During the integration meetings between Sun and Oracle where we were being grilled about the patent situation between Sun and Google, we could see the Oracle lawyer’s eyes sparkle. Filing patent suits was never in Sun’s genetic code. Alas.
I hope to avoid getting dragged into the fray: they only picked one of my patents (RE38,104) to sue over."
http://techcrunch.com/2010/08/13/android-oracle-java-lawsuit/
http://nighthacks.com/roller/jag/entry/the_shit_finally_hits_the
Actually you don't, here is a short list of things from the top of my head:
1. there could be a HTTP-reverse proxy in front handling the HTTPS, so even if the HTTP-header inside the HTTPS instream says it used webserver X. It does not mean your browser is talking directly to that HTTP-server
2. Even if it says: Apache it might not say what version.
3. For Apache it depends on the version of the OpenSSL-library installed and the options need to be enabled. For Debian a default install of Debian stable should be fine as I understand it (haven't checked)
4. A fairly recent Apache with mod_ssl (which uses OpenSSL) like the one in Debian stable supports TSL/1.1, the previous stable does not. Debian stable also has the option to use mod_gnutls instead, it supports TLS/1.2
5. it has to be enabled on the server for it to work, this is the problem with IIS. It is off by default as I understand it (haven't checked)
That does not help, it does not show what version of HTTPS it supports.
The way to check HTTPS versions/protocol features and so on is at:
https://www.ssllabs.com/ssldb/analyze.html?d=slashdot.org&s=216.34.181.45
This is what it says on the page:
TLS 1.2 No
TLS 1.1 No
But it obviously still does not tell you if _you_ are connected to a server with supports it and if client and server are using it right now.
Trust me, most don't support it.
The best and most simple way to make sure you are safe is:
- close the browser (all existing HTTPS-connections are thus closed)
- open the browser
- only open a tab/window to the HTTPS-site and don't forget to type https:/// infront of it
- and use that
- when you are done
- logout on the site
- close the browser
Works fine with SSL/3.0 or TLS/1.0
Because what the attacker needs to do is through some other channel inject plain-text into the stream you are using to connect to the HTTPS-site.
The man-in-the-middle attacker does this by modifying a page loaded over HTTP that you loaded on a different page.
If all you have open is the one site, they can not do that.
Actually, Oracle might not have bought Sun if they could not sue Android:
" Miguel De Icaza has provided a very interesting insight into the case. His report has been confirmed by James Gosling, known as the father of Java who left Sun right after the merger. Icaza speculates that the potential to monetise on Java by suing Google was pitched by Jonathan Schwartz during Sun's sales talks with Oracle. Oh boy."
http://techcrunch.com/2010/08/13/android-oracle-java-lawsuit/
http://tirania.org/blog/archive/2010/Aug-13.html
http://www.osnews.com/story/23684/De_Icaza_Sun_s_Schwartz_Pitched_Google_Lawsuit_to_Oracle
It is only solved for those websites that also support TLS/1.1 and/or TLS/1.2.
There is no GUI which displays what the server supports so you don't really know.
Also like IE8 or IE9 on Vista, Windows 7 and Windows 8 preview-or-whatever-it-is-called it is disabled by default.
As I understand it is disabled by default on IIS too.
Apache on Debian old-stable does not support TLS/1.1 on Debian stable it does. It is enabled too. You can get TLS/1.2 as well, if you install mod_gnutls instead of mod_ssl
So in practise most people are not protected.
Actually, in the early days libraries did not exist, that is why the X Window System has the architecture it does.
As I understand it, the new SDK is available:
http://www.h-online.com/open/news/item/Add-on-SDK-for-Firefox-updated-1343612.html
It allows to rewrite the old Addons which need to be updated when Firefox upgrades.
This is Man-in-the-Middle attack which injects the JavaScript code in the webpage in the SSL-stream I guess...?
Or do it on the HTTP-page...?
I guess we'll know in a few days.
As I understand it, this is VNC (with encryption) and vPro isn't.
EFI is just as big a mess as the legacy BIOS:
http://lwn.net/Articles/451690/
http://lwn.net/Articles/453003/
And would you like Microsoft with their Windows 8 (App) Store and Intel to control your PC like it is an Apple iDevice ?:
http://lwn.net/Articles/459569/
As I understand it, this is just VNC with small enhancements for ISO-boot and encryption, which makes it easier to deal with on many different platforms.
ll the article did say:
"using hardware encryption native to vPro chipsets"
So it could include SSH or HTTPS.
No, it would not. Look at the Comodo breach in March.
Only if they create a new root, most browsers completely blocked the CA even as a sub-CA.
"The first one anyone can do in two minutes, including the time to download GPG."
Well, probably not you. Because GPG is not used for generating certificates.
I like to use pink for cross-cables. Because, well, they are different. ;-)
1. Attach cable to the desk at the edge but with enough to move the mouse around obviously.
2. keep the desk completely clean. Just a keyboard and mouse (my LCD-monitor is on a stand hanging over the desk).
That way there is nothing in the way.
Also supposedly, a clean desk means less distractions.