Home
Calendar
Certifications
Columns
Features
Forum
Resources
Vitals
Latest Additions
April 2013 Free Giveaway Sponsor - eLearnSecurity
Human Intelligence to Navigate the Security Data Deluge
February 2013 Free Giveaway Winner of SANS CyberCon Training
Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties
Network Forensics: The Tree in the Forest
March 2013 Free Giveaway Sponsor - Mile2
Book Review: Violent Python
February 2013 Free Giveaway Sponsor - SANS
Holiday 2012 Free Giveaway Winner of Metasploit Pro by Rapid7
Course Review: SANS FOR408 Computer Forensic Investigations – Windows In-Depth
The Security Consulting Sugar High
Tutorial: Fun with SMB on the Command Line
Interview: Ilia Kolochenko, CEO of High-Tech Bridge
October 2012 Free Giveaway Winner of LearningGate Training
The Broken: Assessing Corporate Security in 2012 to Make a Better 2013
EH-Net Login
Welcome Guest.
Username:
Password:
Remember me
Lost Password?
No account yet?
Register
Who's Online
We have 28 guests and 2 members online
You are here:
Home
Ethical Hacking Discussions and Related Certifications
Malware
Major blow to TLS 1.0
EH-Net
May 25, 2013, 05:31:23 AM
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
News
: Go back to The Ethical Hacker Network Online Magazine
Home Page
Home
Help
Calendar
Login
Register
EH-Net
>
Ethical Hacking Discussions and Related Certifications
>
Malware
(Moderator:
don
) >
Major blow to TLS 1.0
Pages: [
1
]
Go Down
« previous
next »
Print
Author
Topic: Major blow to TLS 1.0 (Read 8058 times)
0 Members and 1 Guest are viewing this topic.
cd1zz
Hero Member
Offline
Posts: 561
Major blow to TLS 1.0
«
on:
September 20, 2011, 11:44:09 PM »
If you didn't see this, it's pretty interesting.
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Logged
OSCE | OSCP | GXPN | OSWP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com
lorddicranius
Sr. Member
Offline
Posts: 447
Re: Major blow to TLS 1.0
«
Reply #1 on:
September 21, 2011, 12:04:55 AM »
I didn't know about TLS 1.1/1.2 prior to reading that article. My question: why isn't a newer version of the technology being used? I guess I'm curious as to what the changes are in 1.1/1.2 compared to 1.0. Were they just performance updates that people didn't think were worth using? And since there wasn't any security issues, they didn't see a NEED to use the newer versions?
Logged
GSEC, eCPPT, Sec+
cd1zz
Hero Member
Offline
Posts: 561
Re: Major blow to TLS 1.0
«
Reply #2 on:
September 21, 2011, 08:47:52 AM »
Looks like a number of crypto advances in 1.1 and 1.2
http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.1_.28SSL_3.2.29
A few people in here try to shed some light on why its not supported in Chrome:
http://www.google.com/support/forum/p/Chrome/thread?tid=0539619c98f85cbb&hl=en
However, IIS 7.5 and >IE8 in Win 7 support TLS 1.2
«
Last Edit: September 21, 2011, 09:23:18 AM by cd1zz
»
Logged
OSCE | OSCP | GXPN | OSWP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com
alucian
Full Member
Offline
Posts: 225
Re: Major blow to TLS 1.0
«
Reply #3 on:
September 21, 2011, 08:28:54 PM »
If this is true we are in a big s**t.
You can't convince the C*O of a bank (for example) that is better to upset a lot of customers than to put them at risk.
I wait to see what will happen Friday.
Logged
CISSP ISSAP, CISM/A, GWAPT, GCIH, eCPPT, OSWP
tturner
Sr. Member
Offline
Posts: 432
Re: Major blow to TLS 1.0
«
Reply #4 on:
September 27, 2011, 02:33:28 PM »
This story is somewhat FUD worthy as it requires an XSS vuln on the site in question. Lots of those out there to be sure and definitely a risk to address, but it's not a free pass to pwn any TLS 1.0 site.
Logged
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, OPSE, CSWAE, CSTP, VCP
WIP: OSWP, GSSP-JAVA, GXPN
Udacity on hold, again. I suck.
http://sentinel24.com/blog
@tonylturner
http://bsidesorlando.org
lorddicranius
Sr. Member
Offline
Posts: 447
Re: Major blow to TLS 1.0
«
Reply #5 on:
September 30, 2011, 11:38:58 AM »
Quote from: cd1zz on September 21, 2011, 08:47:52 AM
Looks like a number of crypto advances in 1.1 and 1.2
http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.1_.28SSL_3.2.29
A few people in here try to shed some light on why its not supported in Chrome:
http://www.google.com/support/forum/p/Chrome/thread?tid=0539619c98f85cbb&hl=en
However, IIS 7.5 and >IE8 in Win 7 support TLS 1.2
Thanks for those links, cd1zz.
For the curious (should be all of us, right?
), a video demonstrating BEAST at work:
http://www.youtube.com/watch?v=BTqAIDVUvrU
Logged
GSEC, eCPPT, Sec+
Pages: [
1
]
Go Up
Print
« previous
next »
Jump to:
Please select a destination:
-----------------------------
EH-Net
-----------------------------
=> Calendar Of Events
===> ChicagoCon 2007
===> ChicagoCon 2008s
===> ChicagoCon 2008f
===> ChicagoCon 2009s
=> Ethical Hacktivism
=> News Items and General Discussion About EH-Net
===> Greetings
=> Special Events
-----------------------------
Ethical Hacking Discussions and Related Certifications
-----------------------------
=> General Certification
===> Networking
===> OS
===> Security
=> Compliance, Regulations & Standards
=> Control Systems
=> Cyber Warfare
=> Forensics
===> CCE / MCCE - (Master) Certified Computer Examiner
===> CHFI - Computer Hacking Forensic Investigator
===> EnCE - EnCase® Certified Examiner
===> GCFA - GIAC Certified Forensics Analyst
=> Hardware
=> Incident Response
===> CSIH - Computer Security Incident Handler
===> GCIH - GIAC Certified Incident Handler
=> Malware
===> Advisories
=> Mobile
=> Network Pen Testing
===> CEH - Certified Ethical Hacker
===> CPTC - Certified Penetration Testing Consultant
===> CPTE - Certified Penetration Testing Engineer
===> CSTA - Certified Security Testing Associate
===> eCPPT - eLearnSecurity Certified Professional Penetration Tester
===> ECSA - EC-Council Certified Security Analyst
===> GPEN - GIAC Certified Penetration Tester
===> OSCP - Offensive Security Certified Professional
=> Physical Security
=> Programming
=> Social Engineering
=> Web Applications
=> Wireless
===> CWNP Certs
===> GAWN - GIAC Assessing Wireless Networks
===> OSWP - Offensive Security Wireless Professional
=> Other
-----------------------------
Columns
-----------------------------
=> Editor-In-Chief
=> Andress
=> Gates
=> Haddix
=> Hadnagy
=> Heffner
=> Hoffman
=> Linn
=> RichM
=> Murray
=> J. Peltier
=> Weidman
=> Wilson
-----------------------------
Features
-----------------------------
=> /root
=> Book Reviews
=> Opinions
=> Skillz
===> Examples
===> May 06 - Star Hacks, Episode V: The Empire Hacks Back
===> July 06 - Hack Bill!
===> Sept 06 - Netcat in the Hat
===> Nov 06 - Hitch-Hackers Guide to the Galaxy
===> Dec 06 - A Christmas (Hacking) Story
===> Feb 07 - Charlottes Web Site
===> April 07 - Microsoft Office Space
===> June 07 - Serenity Hack
===> Oct 07 - Worst. Ethical. Hacker. Challenge. Ever.
===> Dec 07 - Frosty the Snow Crash
===> March 2008 - It Happened One Friday
===> Oct 2008 - Scooby Doo and the Crypto Caper
===> Dec 08 - Santa Claus Is Hacking to Town
===> Feb 2009 - Brady Bunch Boondoggle
===> July 2009 - Prison Break
===> October 2009 - SSHliders
===> December 2009 - Miracle on Thirty-Hack Street
===> December 2010 - The Nightmare Before Charlie Browns Christmas
-----------------------------
Resources
-----------------------------
=> Career Central
===> Looking For Work
===> Looking To Hire
=> Links to cool sites.
=> Mass Media
=> News from the Outside World
=> Tools
=> Tutorials
===> Tutorial Requests
Loading...
Exclusive Deal
SANSFIRE 2013
June 15 - 22
5% Off
w/ Code
:
EHN_5
SANS Deals 4 EH-Netters
5% OFF
Any
SANS Course
in Any Format!
Coupon Code:
EHN_5
Including
SANS Rocky Mountain 2013
&
SANS Boston 2013
Polls
Compared to this year, 2013 will be:
Great!
Better.
About the same.
Little worse.
FUBAR!
Recent Forum Topics
News Items and General Discussion About EH-Net
: Change is Coming to EH-Net!!
(30) by
don
Tools
: Symbolic Exploit Assistant project is looking for collaborators
(0) by
galapag0
Greetings
: Hi from the UK
(5) by
prats84
GCIH - GIAC Certified Incident Handler
: Passed my GCIH
(9) by
prats84
Network Pen Testing
: Want a challenge? Want a GXPN practice exam?
(0) by
ajohnson
GCIH - GIAC Certified Incident Handler
: GCIH Free Practice test attempt
(1) by
prats84
EH-Net News Feeds
Latest Additions
Privacy Notice
for TDCC & All Properties
© 2013 The Ethical Hacker Network
Joomla!
is Free Software released under the GNU/GPL License.