Do you use Gmail? How about Facebook? Maybe Amazon? All of these rely on SSL, an encryption technology that keeps what goes between you and a website. It’s the little lock icon. Now two guys say they’ve cracked the code.
Thai Duong and Juliano Rizzo are these two guys. This week, The Register reports, they’ll show the world how to kill PayPal’s SSL with only an itsy bitsy piece of code, unravelling the entire encryption process and leaving your ostensibly private data open to eavesdroppers. The implications for this are massive.
The problem lies with what’s called TLS, the newest generation of SSL. TLS 1.0 is vulnerable. TLS 1.1 and 1.2 aren’t supported by any browsers. Websites don’t want to switch from 1.0, because they don’t want to lose everyone who visits their site. This is pretty complicated.
If an exploit is released into the wild, both browser devs and website operators will be forced — lest they wittingly put their users into a possible security nightmare — to upgrade to a more secure encryption version. The transition, I suspect, won’t be entirely smooth. But be glad Duong and Rizzo found it before someone who isn’t planning on demonstrating it to a legitimate security conference. [The Register]