The Content Provided on HackClarify are Only for Security Awareness & Educational Purposes Only, Hackclarify is Not Responsible for any Harm Done!
Place Your Ads Here By Requesting Using The Contact Form
Add to Google Reader or Homepage Add to Netvibes Add to Yahoo! Subscribe in NewsGator Online Add to My AOL

SSL Broken by Hackers Used by Millions of Websites





Researchers discovered that the encryption that's supposed to protect us while surfing the web is totally exploitable by hackers with the necessary know-how.

Thai Duong and Juliano Rizzo plan to demonstrate a proof-of-concept code which will prove that SSL protocols are not as secure as everyone thought them to be.

The researchers claim that their Browser Exploit Against SSL/TLS code, or BEAST, will prove to the world that any cryptographic protocol before TLS 1.1 is vulnerable and can be deciphered fairly easily.

They will attempt to decode an authentication cookie used to log-in to a PayPal account, fact which will diminish the world's faith in one of the foundation blocks of internet security.

Even though later protocols, such as the TLS 1.1 and 1.2 don't present the same weakness, these versions are yet to be implemented into websites and browser applications, which means that most popular websites are unprotected.

The algorithm was laid down in the form of a JavaScript that intercepts encrypted cookies transferred by websites during the authentication process.

“BEAST is different than most published attacks against HTTPS,” stated Duong.

“While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

What up until now has been considered to be more of a theoretical weakness has now become something real that puts us all in peril. BEAST is supposed to decrypt the authentication cookie used to access a PayPal account in 10 minutes, which is far less than anyone would expect.

So why don't website and browser developers do something about it, especially since TLS 1.1 is available since 2006?

In order to efficiently update all the security protocols, the process would have to be done by all the major players at once, otherwise, whenever a fix is attempted, incompatibilities will prevent applications that rely on the old system to work.

Out of all the browsers currently available, only Opera implements TLS 1.2 by default, while in Internet Explorer the technology is there, but lies dormant, waiting to be manually activated.

Google Chrome and Mozilla Firefox seem to be the last in this race as they seem to be waiting for each other to start the implementation.




Share your views...

0 Respones to "SSL Broken by Hackers Used by Millions of Websites"

Post a Comment

 

Google+

Supported/Suggested Browsers for our site
Fight Spam! Click Here!

Don't Copy Articles

Protected by Copyscape Plagiarism Detector
DMCA Protected

Expand HackClarify

Hacking Tips & Tricks

If HackClarify articles have helped you in learning then copy code below and give a small place to this image in your blog or website:

Attribution

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. Dont Copy or Reproduce Articles.

© 2012 | Founded & Maintained by Samin Yasar | All Rights Reserved