Home → News → Researchers to Detail Hole in Web Encryption → Full Text

Researchers to Detail Hole in Web Encryption


September 22, 2011

[article image]

Security researchers Juliano Rizzo and Thai Duong will demonstrate an attack that compromises Transport Layer Security (TLS) 1.0 at the Ekoparty conference in Argentina. The TLS encryption mechanism secures Web sites accessed using [Secure Hypertext Transfer Protocol (HTTPS)], and is the successor to Secure Sockets Layer (SSL).

The attack is called Browser Exploit Against SSL/TLS, and reportedly works by getting a victim's browser to run JavaScript code that cooperates with a sniffer that closely monitors the victim's actual network communications. The attack, which takes about 10 minutes, allows an authentication cookie to be stolen. Rizzo and Duong will show how the attack can be used to decrypt a cookie used to access PayPal's electronic payment site.

TLS is widely used by financial sites, and companies such as Google, Facebook, and Twitter are pushing for its further use on the Web. University of Virginia researcher Karsten Nohl says the vulnerability should give software makers the incentive to catch up with a fix that was available years ago.

View Full Article

Abstracts Copyright © 2011 Information Inc. External Link, Bethesda, Maryland, USA 



No entries found