Communications of the ACM
Researchers to Detail Hole in Web Encryption
The attack reportedly works by getting a victim's browser to run JavaScript code that cooperates with a sniffer that closely monitors the victim's actual network communications.
Credit: Courtesy of Lisisoft.com
Security researchers Juliano Rizzo and Thai Duong will demonstrate an attack that compromises Transport Layer Security (TLS) 1.0 at the Ekoparty conference in Argentina. The TLS encryption mechanism secures Web sites accessed using [Secure Hypertext Transfer Protocol (HTTPS)], and is the successor to Secure Sockets Layer (SSL).
The attack is called Browser Exploit Against SSL/TLS, and reportedly works by getting a victim's browser to run JavaScript code that cooperates with a sniffer that closely monitors the victim's actual network communications. The attack, which takes about 10 minutes, allows an authentication cookie to be stolen. Rizzo and Duong will show how the attack can be used to decrypt a cookie used to access PayPal's electronic payment site.
TLS is widely used by financial sites, and companies such as Google, Facebook, and Twitter are pushing for its further use on the Web. University of Virginia researcher Karsten Nohl says the vulnerability should give software makers the incentive to catch up with a fix that was available years ago.
From CNET
View Full Article
No entries found