i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

SSL Encryption Broken

Researchers have discovered a weakness in the SSL (secure sockets layer) protocol.  SSL is used by nearly all websites who are trying to protect data being sent from the web server to the end users browser.

The vulnerability was discovered in versions 1.0 and earlier of TLS (Transport Layer Security).  Although versions 1.1 and 1.2 of TLS aren’t vulnerable, not many websites or browsers support them, making encrypted transactions on the likes of PayPal, Banking sites and just about every other website, vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website being visited.

Researchers Thai Duong and Juliano Rizzo plan to demonstrate some proof of concept code later this week at the Ekoparty Conference in Buenos Aires.  The software is called BEAST, (Browser Exploit Against SSL/TLS). The code, apparently Javascript, works with a network sniffer to decrypt encrypted cookies that a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this research was first published, Google released a developer version of its Chrome browser designed to thwart the attack.

Good to see Google are on the case to fix this before it becomes an everyday issue.  LEts hope the rest of the browser developer community can be quick to act.