SSL encryption broken – Proof of concept demo later this week #ph33r

My first reaction to the news that read “Hackers break SSL encryption used by millions of sites – Beware of BEAST decrypting secret PayPal cookies” was, “What took ’em so long?”

The article above gives all the details you can stand, and a quick search of Google for news articles will tell you everything else you want to know.

The skinny is this: All versions of Transport Layer Security (TLS) 1.0 and earlier are susceptible to listening in on their magic. IE: When you are using websites protected with TLS 1.0 and are hit with a browser exploit, everything is in the clear.

How do you protect against this one? Since this is likely a man-in-the-middle type exploit, using public wi-fi may make it easier for an attacker to make it happen. It also requires that the “BEAST” browser exploit be somehow loaded on your computer. How that payload will be delivered has yet to be determined.

Consider keeping virus definition up to date, using quality anti-virus like Trend Micro Worry Free for your business, or Titanium for your personal computer or smaller business. Keep the OS up to date, the browser and all support applications such as JAVA and Adobe Flash Player should also have the latest updates.

Be careful about which pages you visit, sites with questionable content (think porn, “warez”, etc) are excellent places to avoid.

Using a VPN when on public wi-fi is always a great idea.

While the proof of concept has not been released, expect copycat “BEAST” exploits to be out within weeks, or even days…

Be careful out there! (And don’t think this will be limited to Microsoft Windows and Internet Explorer…  Expect Mac, Android, iPad, iPhone, Mozilla & Chrome to get in on the action too)


Leave a Reply

Your email address will not be published. Required fields are marked *