.

Major blow to TLS 1.0

<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Sep 20, 2011 11:44 pm

Major blow to TLS 1.0

If you didn't see this, it's pretty interesting.

http://www.theregister.co.uk/2011/09/19 ... aypal_ssl/
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Sep 21, 2011 12:04 am

Re: Major blow to TLS 1.0

I didn't know about TLS 1.1/1.2 prior to reading that article.  My question: why isn't a newer version of the technology being used?  I guess I'm curious as to what the changes are in 1.1/1.2 compared to 1.0.  Were they just performance updates that people didn't think were worth using?  And since there wasn't any security issues, they didn't see a NEED to use the newer versions?
GSEC, eCPPT, Sec+
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Sep 21, 2011 8:47 am

Re: Major blow to TLS 1.0

Looks like a number of crypto advances in 1.1 and 1.2
http://en.wikipedia.org/wiki/Transport_ ... SSL_3.2.29

A few people in here try to shed some light on why its not supported in Chrome:
http://www.google.com/support/forum/p/C ... 5cbb&hl=en

However, IIS 7.5 and >IE8 in Win 7 support TLS 1.2
Last edited by cd1zz on Wed Sep 21, 2011 9:23 am, edited 1 time in total.
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Wed Sep 21, 2011 8:28 pm

Re: Major blow to TLS 1.0

If this is true we are in a big s**t.

You can't convince the C*O of a bank (for example) that is better to upset a lot of customers than to put them at risk.

I wait to see what will happen Friday.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Sep 27, 2011 2:33 pm

Re: Major blow to TLS 1.0

This story is somewhat FUD worthy as it requires an XSS vuln on the site in question. Lots of those out there to be sure and definitely a risk to address, but it's not a free pass to pwn any TLS 1.0 site.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Fri Sep 30, 2011 11:38 am

Re: Major blow to TLS 1.0

cd1zz wrote:Looks like a number of crypto advances in 1.1 and 1.2
http://en.wikipedia.org/wiki/Transport_ ... SSL_3.2.29

A few people in here try to shed some light on why its not supported in Chrome:
http://www.google.com/support/forum/p/C ... 5cbb&hl=en

However, IIS 7.5 and >IE8 in Win 7 support TLS 1.2


Thanks for those links, cd1zz.

For the curious (should be all of us, right? :P), a video demonstrating BEAST at work: http://www.youtube.com/watch?v=BTqAIDVUvrU
GSEC, eCPPT, Sec+

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software