acm-header
Sign In

Communications of the ACM

ACM TechNews

Researchers to Detail Hole in Web Encryption


View as: Print Mobile App Share:
JavaScript Code

The attack reportedly works by getting a victim's browser to run JavaScript code that cooperates with a sniffer that closely monitors the victim's actual network communications.

Credit: Courtesy of Lisisoft.com

Security researchers Juliano Rizzo and Thai Duong will demonstrate an attack that compromises Transport Layer Security (TLS) 1.0 at the Ekoparty conference in Argentina. The TLS encryption mechanism secures Web sites accessed using [Secure Hypertext Transfer Protocol (HTTPS)], and is the successor to Secure Sockets Layer (SSL).

The attack is called Browser Exploit Against SSL/TLS, and reportedly works by getting a victim's browser to run JavaScript code that cooperates with a sniffer that closely monitors the victim's actual network communications. The attack, which takes about 10 minutes, allows an authentication cookie to be stolen. Rizzo and Duong will show how the attack can be used to decrypt a cookie used to access PayPal's electronic payment site.

TLS is widely used by financial sites, and companies such as Google, Facebook, and Twitter are pushing for its further use on the Web. University of Virginia researcher Karsten Nohl says the vulnerability should give software makers the incentive to catch up with a fix that was available years ago.

From CNET
View Full Article

Abstracts Copyright © 2011 Information Inc. External Link, Bethesda, Maryland, USA 

 


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account