The Ethical Hacker Network - Major blow to TLS 1.0

Latest Additions

Who's Online

EH-Net News Feeds

Latest Additions

EH-Net > Ethical Hacking Discussions and Related Certifications > Malware (Moderator: don) > Major blow to TLS 1.0

Pages: [1] Go Down

« previous next »

	Author	Topic: Major blow to TLS 1.0 (Read 5091 times)
0 Members and 1 Guest are viewing this topic.

cd1zz

Sr. Member

Offline

Posts: 393

Major blow to TLS 1.0

« on: September 20, 2011, 11:44:09 PM »

If you didn't see this, it's pretty interesting.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/


	Logged

OSCE | OSCP | OWSP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com

lorddicranius

Sr. Member

Offline

Posts: 396

Re: Major blow to TLS 1.0

« Reply #1 on: September 21, 2011, 12:04:55 AM »

I didn't know about TLS 1.1/1.2 prior to reading that article. My question: why isn't a newer version of the technology being used? I guess I'm curious as to what the changes are in 1.1/1.2 compared to 1.0. Were they just performance updates that people didn't think were worth using? And since there wasn't any security issues, they didn't see a NEED to use the newer versions?


	Logged

Blog: http://lorddicranius.wordpress.com/

cd1zz

Sr. Member

Offline

Posts: 393

Re: Major blow to TLS 1.0

« Reply #2 on: September 21, 2011, 08:47:52 AM »

Looks like a number of crypto advances in 1.1 and 1.2
http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.1_.28SSL_3.2.29

A few people in here try to shed some light on why its not supported in Chrome:
http://www.google.com/support/forum/p/Chrome/thread?tid=0539619c98f85cbb&hl=en

However, IIS 7.5 and >IE8 in Win 7 support TLS 1.2


« Last Edit: September 21, 2011, 09:23:18 AM by cd1zz »	Logged

OSCE | OSCP | OWSP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com

alucian

Full Member

Offline

Posts: 190

Re: Major blow to TLS 1.0

« Reply #3 on: September 21, 2011, 08:28:54 PM »

If this is true we are in a big s**t.

You can't convince the C*O of a bank (for example) that is better to upset a lot of customers than to put them at risk.

I wait to see what will happen Friday.


	Logged

CISSP ISSAP, CISM/A, GWAPT, eCPPT, OSWP

tturner

Sr. Member

Offline

Posts: 329

Re: Major blow to TLS 1.0

« Reply #4 on: September 27, 2011, 02:33:28 PM »

This story is somewhat FUD worthy as it requires an XSS vuln on the site in question. Lots of those out there to be sure and definitely a risk to address, but it's not a free pass to pwn any TLS 1.0 site.


	Logged

Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GSEC, OPSE, CSWAE, VCP

Next 6 months: GCIH, CSTP, STI MSISE

lorddicranius

Sr. Member

Offline

Posts: 396

Re: Major blow to TLS 1.0

« Reply #5 on: September 30, 2011, 11:38:58 AM »

Quote from: cd1zz on September 21, 2011, 08:47:52 AM

Thanks for those links, cd1zz.

For the curious (should be all of us, right? Tongue

), a video demonstrating BEAST at work: http://www.youtube.com/watch?v=BTqAIDVUvrU


	Logged

Blog: http://lorddicranius.wordpress.com/

Pages: [1] Go Up

« previous next »

Jump to:

SANS Deals 4 EH-Netters

$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012

Recent Forum Topics