Thai Duong and Juliano Rizzo are these two guys. This week, The Register reports, they’ll show the world how to kill PayPal’s SSL with only an itsy bitsy piece of code, unravelling the entire encryption process and leaving your ostensibly private data open to eavesdroppers. The implications for this are massive.
The problem lies with what’s called TLS, the newest generation of SSL. TLS 1.0 is vulnerable. TLS 1.1 and 1.2 aren’t supported by any browsers. Websites don’t want to switch from 1.0, because they don’t want to lose everyone who visits their site. This is pretty complicated.
If an exploit is released into the wild, both browser devs and website operators will be forced — lest they wittingly put their users into a possible security nightmare — to upgrade to a more secure encryption version. The transition, I suspect, won’t be entirely smooth. But be glad Duong and Rizzo found it before someone who isn’t planning on demonstrating it to a legitimate security conference. [The Register]
wodger
Wednesday, September 21, 2011 at 7:33 AMAnd on the topic of suing, next time SSL breaks and we get hacked/robbed, can we sue these two jokers?
The Joker
Wednesday, September 21, 2011 at 8:14 AMWhy would you suggest suing the people who made everyone aware that the encryption system being used isn’t up to scratch. They have done us a favor. If they had made the crack available to the hacker community for illegal purposes then of course throw them to the wolves. IMO it’s now up to the global IT community to implement a fix to this before Joe user has to suffer the consequences.
EckyThump
Wednesday, September 21, 2011 at 8:11 AMThought this had already been done! The banks and Government get hacked regularly! #}
wsDK_II
Wednesday, September 21, 2011 at 9:13 AMTLS 1.1 was hacked back in 2004, then disclosed in 2006. TLS 1.2 was hacked in 2007, but i cant remember if it was disclosed?
SSL 1.1, 1.2 and 1.3 have all been hacked, SSL 1.3 was broken back in 2008 from memory…
but it hasnt been released (however i know how to do it as a pen tester :D)
you would be amazed at what you think is secure, but isnt.
point being, the ‘bad guys’ have the ability to do whatever they want really, the only reason why they dont is because if they did, then the entire world would combine agaist them. Which is why they only go after high profile targets.
p.s. Anon is full of good guys like me :)
EckyThump
Wednesday, September 21, 2011 at 10:34 AMAhh, that explains a lot about your comments!! #]
John
Wednesday, September 21, 2011 at 11:07 AMKeep on masturbating to pictures of cats.
vaykant
Wednesday, September 21, 2011 at 8:46 AM“TLS 1.1 and 1.2 aren’t supported by any browsers.”
IE 8 / 9 in windows 7 and server 2008 r2 support TLS 1.2 and according to Opera, they have supported TLS 1.2 since version 10.
Womp
Wednesday, September 21, 2011 at 9:35 PMYou hear that SSL encryption has been broken and the first thing you think of is your farcebook account, not your Bank Account?
What do you do keep all your money in a sock or something?