back to article Experts suggest SSL changes to keep BEAST at bay

With just a few hours until researchers unveiled an attack they say decrypts sensitive web traffic protected by the ubiquitous secure sockets layer protocol, cryptographers described a simple way website operators can insulate themselves against the exploit. The recommendations published Friday by two-factor authentication …

COMMENTS

This topic is closed for new posts.
Linux

Bah!

All the money spent on security, and along comes a user and its not worth its salt (pun intended)

Google cant really talk, they know there targets too, nice of them to offer a solution, but security is really an ongoing war, the best advice use as much as you can and if its critical dont put it online.

2
0
Anonymous Coward

Well...

As long as it doesn't affect my porn browsing I couldn't care less....

0
0
Silver badge

Question

Does keeping the SSL 3.0 and unchecking the TLS 1.0 in firefox do any good, or more harm than good? I thought I read that the TLS part was the issue.

0
0
Stop

Both TLS 1.0 and SSL 3.0 are vulnerable. Only TLS 1.1 and TLS 1.2 are not, but they are supported by about 2% of web servers out there.

To protect yourself you can use different browser for sensitive sites (banking, paypall, etc.) and another for regular web browsing.

0
0

No, SSL 3.0 has exactly the same issue that TLS 1.0 has.

You can think of TLS 1.0 as SSL 3.1 if you like. They're very similar. The name changed when it went from being led entirely by Netscape to being a standards-committee process.

0
0
Anonymous Coward

I'm obviously being a little dumb here, but once an attacker has compromised one's browser/traffic to such an extent that they have injected arbitrary Javascript into the pages one browses then surely any consequential attack on SSL is rather moot given that they already have access to everything they might want?

0
0

No. They do the javascript injection on some other site that doesn't have HTTPS turned on.

So you've got one browser tab on https://paypal.com, and another browser tab on http://any.other.site.com. Rizzo and Duong perform a MITM to inject some javascript into http://any.other.site.com, and the javascript on that page causes your browser to make more requests to https://paypal.com for them to eavesdrop on.

0
0

This post has been deleted by a moderator

3DES is just fine, Michael.

0
0
This topic is closed for new posts.

Forums