Security researchers have unveiled a serious weakness in virtually all websites protected by the SSL protocol. This weakness allows a hacker to decrypt data passed between a browser and a server.

The vulnerability resides in versions 1.0 and earlier of TLS (transport layer security). TLS versions 1.1 and 1.2 are not susceptible, but the issue is that almost no one supports 1.1 or 1.2 yet, even though they have been released for years (1.1 was released in 2006). Check out the attached graphic, showing stats on current SSL and TLS version usage. But simply upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies.

"At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.

BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo's claim that this time can be drastically shortened."

The full article is online at http://gay.gl/eN