SSL BEASTie boys develop follow-up 'CRIME' web attack The security researchers who developed the infamous BEAST attack that broke SSL/TLS encryption are cooking up a new assault on the same crucial protocols. Online shops, banks and millions of other websites rely on SSL/TLS to encrypt sensitive information sent by punters from their web browsers. The new attack is capable of …
And what about Opera?
I hate "press releases" like this. There is zero information. You've just told everyone that you're going to announce the release of a flaw which they won't know anything about until you actually release it, and they have no incentive to do anything until you do.
And, when you do, the nefarious people have not only been looking at the area you hint at specifically for the flaw you found, but they will be ready to get it and exploit it (and yet most browser manufacturers will probably wait for months, if at all, before they fix it).
Or you could have just put a patch out and let everyone get onto it at the same time.
Last time, it was actually a flaw in only some implementations SSL (OpenSSL etc.) and didn't affect some people at all. It was also due to crappy implementation of something that people had been warning for years was a bit dodgy and that other implementations had SPECIFICALLY patched for. And even then browsers etc. took months to catch up (and they were only susceptible because they HADN'T kept up with OpenSSL changes in the first place. I suspect that's the same this time around too, rather than some hugely groundbreaking hack that will kill SSL (actually TLS) on the net for everyone.
I think I opt for the "I'm using Opera, chances are they have already fixed it months ago or were never vulnerable to it" line. That's what I'd lay my money on, personally.
Everyone else - well, stop using junky software that can't even be bothered to keep up-to-date with SSL mailing lists and/or basic security patches issued years ago. I believe the flaw for BEAST had been detected and patched 9 YEARS previously in other SSL libraries.
On an other website I've seen the author mention: we tested Firefox and Chrome and notified them, they both are working on fixes or have some prepared.
Which basically means, the other browsers don't know what the problem is, if they are vulnerable or how to fix it.
There is a talk by the authors about the CRIME-attack a conference, the conference is on 19, 20 or 21
That was the only information I could find.
The last time was the BEAST attack, it wasn't specific to OpenSSL at all. Maybe you meant the SSL renegotiation attack, that was kind of OpenSSL specific. But most servers do use OpenSSL, so it basically effected almost all servers installations except IIS on Windows.
On http://Security.StackExchange.com, one of our members has made an interesting guess at this. Have a look at our blog post for info on how the attack takes place, and how to protect yourself against it:
http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
