SSL Encryption has been unraveled

No replies
Psychlone's picture
Joined: 2010/01/12

While trying to learn a little more about security in general, I came across this tidbit... I can only imagine the consequences in the wrong hands! (or is that the *right* hands?) Wink

Researchers Break Browser Encryption that Protects Almost the Entire Internet

Do you use Gmail? How about Facebook? Maybe Amazon? All of these rely on SSL, an encryption technology that keeps what goes between you and a website. It's the little lock icon. Now two guys say they've cracked the code.

Thai Duong and Juliano Rizzo are these two guys. This week, The Register reports, they'll show the world how to kill PayPal's SSL with only an itsy bitsy piece of code, unraveling the entire encryption process and leaving your ostensibly private data open to eavesdroppers. The implications for this are massive.

The problem lies with what's called TLS, the newest generation of SSL. TLS 1.0 is vulnerable. TLS 1.1 and 1.2 aren't supported by any browsers. Websites don't want to switch from 1.0, because they don't want to lose everyone who visits their site. This is pretty complicated.

If an exploit is released into the wild, both browser devs and website operators will be forced—lest they wittingly put their users into a possible security nightmare—to upgrade to a more secure encryption version. The transition, I suspect, won't be entirely smooth. But be glad Duong and Rizzo found it before someone who isn't planning on demonstrating it to a legitimate security conference.


...Light in the absence of eyes illuminates nothing.