Serious TLS Vulnerability Discovered

Dan Goodin for The Register:

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

TLS is the encryption standard used by millions of popular web sites, including not only PayPal and Gmail as mentioned but also for e-commerce in many cases. That your session is susceptible to eavesdropping by malicious attackers should give you pause.

“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

Things are only going to get worse before they get better. Up until now browser security has only been of peripheral interest. Now that attacks like these are increasing in both frequency and complexity, maybe the browser vendors will start to consider more secure means of safeguarding transport and data.

What most people are probably concerned with is whether or not they should stop buying things online or conducting online banking. I would submit that you are more than likely still safe; the chances of being targeted is fairly slim. However, you do need to remain vigilant and be very cautious when handling any form of online monetary transactions. Constantly monitor your credit cards and bank accounts for fraudulent activity and immediately report anything out of the ordinary.

Be careful out there. It’s a brave new world.