Just because hackers now can do what the FBI, CIA, etc have probably been doing for years — looking at your purchases, banking transactions, etc online — doesn’t mean they’ll HAVE to steal your money and charge your credit cards. That would just be rude.

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

  1. jbenson2 says:

    A big IF:

    “If the attack works as quickly and widely as they claim it’s a legitimate threat.”

    It’s just a claim and not proven.

  2. msbpodcast says:

    In #1, jbenson2 said: A big IF


    You’re not spreading fear, uncertainty and doubt.

    Keep that up and people will be using NFC for business and consumer transactions and putting counterfeiters out of work.

    That would place a terrible burden on the Fed. They won’t be able to just print a few pallet loads of Benjamins when ever the gummint screws up.

  3. bobbo, the evangelical anti-theist says:

    I once asked Wells Fargo if anyone could access my money and transfer it “out.” I was told my electronic account could only make transfers between my own bank accounts. I had a reserve of doubt about that but it gave me some comfort.

    Over time with the constant barrage to pay bills by electronic transfer and such I am quite sure that if anyone had my password they could “arrange for” electronic bill paying and get access to my money and transfer it out of Wells Fargo.

    Hmmmm. This issue of breach aside–it causes me to worry. All these “trusted merchants” like Comcast or anyone else who can as they wish simply access your account and have a payment to them be made. No account cracking required. Whats with THAT???

    Works 99% of the time but these merchant arrangements can get in your way. When Mom died, we could not get the automatic payment to Comcast stopped.

    Wells Fargo does not work for its depositors==it works for its fellow merchants.

  4. JimD says:

    NOTHING on the web is “safe” !!! Caveat Emptor !!!

  5. MikeN says:

    Why hasn’t this been leaked on the internet yet! Secrecy is bad. Information should be free!

  6. sargasso_c says:

    A sniffer needs access to the LAN or DSL/WiFi of the victim.

  7. spsffan says:

    Wells Fargo? Ha ha ha ha ha ha ha ha! Try a company that has progressed beyond the state coach!

    My 13 years in banking taught me two things. Don’t do business with American Express and don’t do business with Wells Fargo. Both woefully incompetent.

    Bank of America on the other hand is only marginally incompetent (they were okay before they merged with Nationsbank) but they are still as evil as ever.

  8. Uncle Patso says:

    # 6 sargasso_c :

    “A sniffer needs access to the LAN or DSL/WiFi of the victim.”

    What about cable modems? As I understand it, it’s possible for anyone with a cable modem to sniff the packets of everyone on the cable company’s local node. I have no idea how many subscribers that might be…

    Or is this a “man in the middle” attack, where the hacker has to be able to intercept the traffic both ways?

  9. rwest says:

    Not sure where the author got the information from, but IE 9 supports TLS 1.1 and TLS 1.2.

  10. chris says:

    The good thing here is that an attacker not only has to serve you a fraudulent certificate, they also have to control a host between you and the site they are providing you the certificate for. It makes an attack a lot harder.

    Many people don’t even know what SSL is, and just trust any page with a little lock on it. They are going to get nailed anyway.

    It does suggest that there are too many CA’s.

  11. chris says:

    Yikes, I thought this was like DigiNotar. Caught not reading the article. 🙂


Bad Behavior has blocked 13747 access attempts in the last 7 days.