[[Thought about OT. TECH seems OK. Please migrate to OT if content gets off key theme]] People with major dependence on HTTPS / SSL security may wish to consider if short term action is necessary re this issue. 'Whitehat' demo code shows that Paypal, Google/GMAIL and most other SSL "secured" sites/links are vulnerable to attack. (HTTPS is THE primary method of protection generally used in most internet transactions so this vulnerability is *potentially* of relevance to most secure internet access systems). The demonstration system is due for demonstration at the 3 day Ekoparty conference in Buenos Aires which starts today so it's highly likely that no real-world security breach exists. Yet. The next two paragraphlets may or may not make sense :-) : Exploit is "certain" given specified conditions but with processing power used by demo system takes around 1 to 2 seconds per byte of the encrypted permissions cookie which is used to mount the attack so say typically half an hour to 'crack' a Paypal account. I'm unaware if the method is amenable to acceleration by vast parallel attack but, if so, use of "web resources" would allow much more rapid decodes. Presumably also a dedicated solver may help and would almost be worth implementing during this "window of opportunity". __________________ Ref: James N. http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_= ssl/ Says: Hackers break SSL encryption used by millions of sites Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Like a cryptographic Trojan horse The attack is the latest to expose serious fractures in the system that virtually all online entities use to protect data from being intercepted over insecure networks and to prove their website is authentic rather than an easily counterfeited impostor. Over the past few years, Moxie Marlinspike and other researchers have documented ways of obtaining digital certificates that trick the system into validating sites that can't be trusted. Earlier this month, attackers obtained digital credentials for Google.com and at least a dozen other sites after breaching the security of disgraced certificate authority DigiNotar. The forgeries were then used to spy on people in Iran accessing protected GMail servers. By contrast, Duong and Rizzo say they've figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPs prefix. =93BEAST is different than most published attacks against HTTPS,=94 Duong wrote in an email. =93While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.=94 Duong and Rizzo are the same researchers who last year released a point-and-click tool that exposes encrypted data and executes arbitrary code on websites that use a widely used development framework. The underlying =93cryptographic padding oracle=94 exploited in that attack isn't an issue in their current research. Instead, BEAST carries out what's known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks. If the attacker's guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext. At the moment, BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo's claim that this time can be drastically shortened. In an email sent shortly after this article was published, Rizzo said refinements made over the past few days have reduced the time required to under 10 minutes. =93BEAST is like a cryptographic Trojan horse =96 an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,=94 Trevor Perrin, an independent security researcher, wrote in an email. =93If the attack works as quickly and widely as they claim it's a legitimate threat.=94 --=20 http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .