Sign in / up

back to article Experts suggest SSL changes to keep BEAST at bay

With just a few hours until researchers unveiled an attack they say decrypts sensitive web traffic protected by the ubiquitous secure sockets layer protocol, cryptographers described a simple way website operators can insulate themselves against the exploit. The recommendations published Friday by two-factor authentication …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Damien Thorn
    Linux

    Bah!

    All the money spent on security, and along comes a user and its not worth its salt (pun intended)

    Google cant really talk, they know there targets too, nice of them to offer a solution, but security is really an ongoing war, the best advice use as much as you can and if its critical dont put it online.

    2 0
  2. Anonymous Coward
    Anonymous Coward

    Well...

    As long as it doesn't affect my porn browsing I couldn't care less....

    0 0
  3. Mark 65

    Question

    Does keeping the SSL 3.0 and unchecking the TLS 1.0 in firefox do any good, or more harm than good? I thought I read that the TLS part was the issue.

    0 0
    1. Tomato42
      Reply Icon
      Stop

      Both TLS 1.0 and SSL 3.0 are vulnerable. Only TLS 1.1 and TLS 1.2 are not, but they are supported by about 2% of web servers out there.

      To protect yourself you can use different browser for sensitive sites (banking, paypall, etc.) and another for regular web browsing.

      0 0
    2. RichardBarrell
      Reply Icon

      No, SSL 3.0 has exactly the same issue that TLS 1.0 has.

      You can think of TLS 1.0 as SSL 3.1 if you like. They're very similar. The name changed when it went from being led entirely by Netscape to being a standards-committee process.

      0 0
  4. Anonymous Coward
    Anonymous Coward

    I'm obviously being a little dumb here, but once an attacker has compromised one's browser/traffic to such an extent that they have injected arbitrary Javascript into the pages one browses then surely any consequential attack on SSL is rather moot given that they already have access to everything they might want?

    0 0
    1. RichardBarrell
      Reply Icon

      No. They do the javascript injection on some other site that doesn't have HTTPS turned on.

      So you've got one browser tab on https://paypal.com, and another browser tab on http://any.other.site.com. Rizzo and Duong perform a MITM to inject some javascript into http://any.other.site.com, and the javascript on that page causes your browser to make more requests to https://paypal.com for them to eavesdrop on.

      0 0
  5. RichardBarrell

    3DES is just fine, Michael.

    0 0
This topic is closed for new posts.

Other stories you might like