Hackers break SSL encryption used by millions of sites

@AC 22:20 GMT: Re Opera

Yes just tried it and it does support TLS 1.2, though this is not enabled by default (TLS 1.0 is).

Also Opera fails when to try "Check for updates" if you have TLS 1.0 disabled...

Re AC 06:11

Operas update servers are behind a load balancer which is currently only TLSv1 and not reneg patch, which has been a big source of frustration to the opera security team.

If I'm right at guessing which load balancer they refer to, then they've just produced a new release with TLSv1.2 - suspect it'll need some testing before deployment

Generally, on this subject, hmmm...

Well I can't see the face of the world changing, but it is concerning.

- The javascript injection would be to another page you're visiting at the same time, I suspect. So its relatively easy to say "Ok, I'll keep a separate browser for secure transactions"

- The packet capture (In reality) is difficult for someone that isn't in direct control of the network (Who could therefore probably do nasty things in much easier ways).

In the real world, I suspect it'll be considerably easier to for mass fraud to find yourself a nice drive-by zero day, drop a trojan and profit.

TLSv1.1/1.2

Looking at RFC5246..

" IV

The Initialization Vector (IV) SHOULD be chosen at random, and

MUST be unpredictable. Note that in versions of TLS prior to 1.1,

there was no IV field, and the last ciphertext block of the

previous record (the "CBC residue") was used as the IV. This was

changed to prevent the attacks described in [CBCATT]. For block

ciphers, the IV length is of length

SecurityParameters.record_iv_length, which is equal to the

SecurityParameters.block_size."

Which then references http://www.openssl.org/~bodo/tls-cbc.txt

So further

- Not a new attack, but the method of injecting chosen plaintext is

- Block ciphers are affected, I'm guessing the venerable RC4 algorithm isn't

If these guys have worked it out..

then I'm sure most governments have had this capability for many years

Doesn't NEED Javascript!

For everyone getting het up about the existence of Java in this exploit, that is just an example of how it could be released into the wild. (If you can decrypt SSL, then you can probably add extra text into the connection to include your java)

BUT I don't think you need it.

I suspect you just need a packet sniffer and the code and away you go.

So, for example, sit in a public place with a dodgy wifi AP and everyone surfs through you thinking "haha, I'm safe, I've got a green padlock". In the meantime you've captured all their login/password information etc. Presumably you can decrypt it all at your leisure and then login to their paypal/bank account a few days or weeks later and pay yourself a little bonus.

If it takes java 10 minutes to decrypt, then a bit of nicely written OpenCL with a pile of GPUs will probably crack it realtime. That's something I'd like to see! (not on my connection)

Trusteer

Sadly this will just make my bank even more eager for me to install this Trusteer dreck...

Opera may have TLS 1.1 and 1.2 on by default but almost no website support it. I tried using Opera with only 1.1 and 1.2 on, and almost every https website fails to load. We need to have the major websites like GMail to support 1.1 and 1.2 so that we can safely turn off 1.0 and SSL 3.

http://eprint.iacr.org/2006/136 :

Cryptology ePrint Archive: Report 2006/136

A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL

...

It took them 5 years to create an exploit?

Sandboxing

Would be nice to be able to sandbox a tab on your browser so that the site you're using can't be shared with another tab. No session information, cookies or anything. Like a private browsing session for a single tab. That would solve it? You'd just start a "secure" tab, go to PayPal, pay then logout out and close the tab. The other tabs would be oblivious and wouldn't be able to share any data.

Best practice: HttpOnly

When setting cookies, could use of the 'HttpOnly' flag resolve this vulnerability? (In supporting browsers, at least?)

we need something other than general purpose web browsers

for secure traffic.

Using a general purpose web browser to do your banking is getting to be like cleaning your teeth with a shotgun. We need something much less powerful, with much more emphasis on safety.

We need simple 'banking clients', based on the best available encryption technology, and everytime that technology gets patched, your client breaks until you download the update. Your bank should rightfully be seen as negligent if they too do not upgrade ASAP (yes, that means someone at the bank actually has to do some WORK once in a while, sorry to break it to you like that). It is a deriliction of duty to use the same shit that doesn't work for decades, then sit on your hands and blame everyone else when it goes wrong.

Yes you can bitch and moan about having to install constant updates, but this is security we're talking about, not some fucking parlor game.

A web browser is like a pub, different pubs are good for different reasons, but none of them are good for banking. Thats why you go to your local BANK, if they're not too busy closing it down so the CEO can pocket another hundred million.

So in summary, bankers are the only people in the world who can afford to take on such a software project, and they're still not going to.

which means the government has to do it, which means, guess what, that'll be another billion taxes straight to Microsoft. Maybe Microsoft should just buy HMRC. And, 25 years later, they might come up with some dicky bullshit software based on a phone tablet toaster PC that you can use on your flower arranging table on the moon. And it'll only cost a million pounds in the UK and 3 dollars in the US.

Opera

I don't know why everyone belives Opera has TLS 1.1 and 1.2 by default.

I just installed it, and both options were not enabled by default.

ok, i'm moving to a bunker. will store cash in the pillows and will live w/o net - wait, the last bit is already happening, been waiting for sky for 3 weeks

Call me back

when you have a general MITM attack against the encrypted stream that does not require the client or server to be compromised. Malicious JS is not news.

I will try to explain my objection.

Phorm.

Putting an ad into your webpage.

Now doing it if you are using ssl.

Now maybe over in the UK your ISP is too nice to do that but I live in the USA and these people are not as nice as BT et al.

Goggle Search results based upon sites SSL level

Well,

This would be easy. If Google and other search engined announced that the search rating would take account of the SSL level the site used. So, 1.2 gets highest rating.

You would find rather a lot of Websites upgrading to the newest SSL.

Dead simple really. Google and other search engines then get the credit making the internet a more secure place.

Errrr - wasn't TLS 1.0 already at issue and superceeded

I was under the impression TLS 1.0 was already a borken standard and why it was superceeded . IIRC it was broken and news over 5 years ago. Oh well

How about contributing instead?

What an unnecessary sensationalist article! OpenSSL is an open source project. Anyone is free to contribute code to the project. Maybe these so called researchers should contribute working code instead of trying to break everything.