EH-Net

If you didn't see this, it's pretty interesting.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

I didn't know about TLS 1.1/1.2 prior to reading that article.  My question: why isn't a newer version of the technology being used?  I guess I'm curious as to what the changes are in 1.1/1.2 compared to 1.0.  Were they just performance updates that people didn't think were worth using?  And since there wasn't any security issues, they didn't see a NEED to use the newer versions?

Looks like a number of crypto advances in 1.1 and 1.2
http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.1_.28SSL_3.2.29

A few people in here try to shed some light on why its not supported in Chrome:
http://www.google.com/support/forum/p/Chrome/thread?tid=0539619c98f85cbb&hl=en

However, IIS 7.5 and >IE8 in Win 7 support TLS 1.2

If this is true we are in a big s**t.

You can't convince the C*O of a bank (for example) that is better to upset a lot of customers than to put them at risk.

I wait to see what will happen Friday.

This story is somewhat FUD worthy as it requires an XSS vuln on the site in question. Lots of those out there to be sure and definitely a risk to address, but it's not a free pass to pwn any TLS 1.0 site.

Thanks for those links, cd1zz.

For the curious (should be all of us, right? :P), a video demonstrating BEAST at work: http://www.youtube.com/watch?v=BTqAIDVUvrU