Skip to main content

Hackers break SSL encryption used by millions of sites

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.




via



Follow me on Twitter @rajneeshgarg!

Comments

Post a Comment

Popular posts from this blog

Installing Bugzilla on Windows

Bugzilla is the Bugs/Issues Tracking Tool from The Mozilla Organization. Version 2.18 is the latest stable release. There are couple of resources which guide a User installing Bugzilla on a Unix/linux machine. However, this entry describes a way to install Bugzilla on a Windows machine (W2K to be precise). This document guides you step by step through the installation process. First, get Administrative access to the machine on which you want to install Bugzilla. It should be a simple step. Usually, Users are given Administrative rights on Windows machine. However, if you dont have, contact your Administrator. Get Bugzilla Then download the Bugzilla from http://bugzilla.org/download.html . There are two ways of gettng it - through CVS or direct downloading the tar file. Remember there are no Zip files. However, any zip utility should be able to untar the Bugzilla. I download the tar file and untarred it using WinZip. I placed the untarred 'bugzilla' directory in my c: drive. So...
33 comments
Read more

Online Hindi Radio Stations

Here is the list of Online Hindi Radio Stations. Copy the URL in your media player and enjoy !! 106.2 HUMFM - UAE ==> http://www.humfm.com/humfm.asx AajKal - Asian Network ==> http://stream.servstream.com/ViewWeb/BBCRadio_music/Event/BBCAsianNetwork_hi.asx Amrit Bani - UK ==> http://62.25.97.192/amritbani?MSWMExt=.asf ApnaRadio - USA ==> http://www.apnaradio.com/live/media24/ApnaRadio.asx Asian Gold Radio - UK ==> http://62.25.96.7/asiangold Asian Sound Radio - UK ==> http://www.vtuner.com/vtunerweb/mms/mms15278.asx BBC News ==> http://www.bbc.co.uk/worldservice/meta/tx/nb/live_news_au_nb.asx BombayBeats FM ==> http://www.1.fm/player/energybbfm32k.asx City 101.6 FM - Dubai ==> http://asx.abacast.com/arabian_radio-city-24.asx DDLive Video - India ==> http://164.100.51.209/ddlive?MSWMExt=.asf DesiSoundz - India ==> http://desisoundz.com:8000 Haagstad Radio - Holand ==> mms://81.205.146.32:21/haagstadradio kismatradio.com ==> http://www.kismatradio....
8 comments
Read more

What are the different type of JDBC drivers?

There are four types of JDBC database driver: The JDBC/ODBC bridge driver (Type 1) A piece of native C-code that translates a JDBC call to an ODBC call. Use this driver for development, not for industrial-strength application environments. Note that you have to have an ODBC database driver manager + an ODBC database driver installed on the server in addition to the JDBC/ODBC bridge. Though useful for learning JDBC and quick testing, bridging solutions are rarely appropriate for production environments. Native API partly java driver (Type 2) A piece of native C-code that translates a java JDBC call to a native database call level API. Use this driver for development and deployment. Due to its native code, this driver can only be used by Java Applications with full computer access (i.e. not Applets). Type 2 drivers generally provide the best performance, but they require the installation of native libraries on clients that need to access the database. Applications using Type 2 drivers ...
1 comment
Read more