Hackers break SSL encryption used by millions of sites

[dynamo34]

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.

http://www.theregister.co.uk/2011/09...ts_paypal_ssl/

---------- Post added at 06:14 PM ---------- Previous post was at 05:51 PM ----------

You can check any HTTPS site using SSL Scan to see which version it is using:

SSLScan is a free command line tool that scans a HTTPS service to enumerate what protocols (supports SSLv2, SSLv3 and TLS1) and what ciphers the HTTPS service supports. It runs both on Linux and Windows OS (OSX not tested) and is released under a open source license.

Code:

[user@test]$ ./SSLScan --no-failed mail.google.com
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.9.0-win
             http://www.titania.co.uk
 Copyright 2010 Ian Ventura-Whiting / Michael Boman
    Compiled against OpenSSL 0.9.8n 24 Mar 2010

Testing SSL server mail.google.com on port 443

  Supported Server Cipher(s):
    accepted  SSLv3  256 bits  AES256-SHA
    accepted  SSLv3  128 bits  AES128-SHA
    accepted  SSLv3  168 bits  DES-CBC3-SHA
    accepted  SSLv3  128 bits  RC4-SHA
    accepted  SSLv3  128 bits  RC4-MD5
    accepted  TLSv1  256 bits  AES256-SHA
    accepted  TLSv1  128 bits  AES128-SHA
    accepted  TLSv1  168 bits  DES-CBC3-SHA
    accepted  TLSv1  128 bits  RC4-SHA
    accepted  TLSv1  128 bits  RC4-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-SHA
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    Not valid before: Dec 18 00:00:00 2009 GMT
    Not valid after: Dec 18 23:59:59 2011 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:d9:27:c8:11:f2:7b:e4:45:c9:46:b6:63:75:83:
          b1:77:7e:17:41:89:80:38:f1:45:27:a0:3c:d9:e8:
          a8:00:4b:d9:07:d0:ba:de:ed:f4:2c:a6:ac:dc:27:
          13:ec:0c:c1:a6:99:17:42:e6:8d:27:d2:81:14:b0:
          4b:82:fa:b2:c5:d0:bb:20:59:62:28:a3:96:b5:61:
          f6:76:c1:6d:46:d2:fd:ba:c6:0f:3d:d1:c9:77:9a:
          58:33:f6:06:76:32:ad:51:5f:29:5f:6e:f8:12:8b:
          ad:e6:c5:08:39:b3:43:43:a9:5b:91:1d:d7:e3:cf:
          51:df:75:59:8e:8d:80:ab:53
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE      X509v3 CRL Distribution Points: 
        URI:http://crl.thawte.com/ThawteSGCCA.crl
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto      Authority Information Access: 
        OCSP - URI:http://ocsp.thawte.com
        CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
  Verify Certificate:
    unable to get local issuer certificate


Renegotiation requests supported

Testing for SSL/TLS - OWASP.org

Currently only Internet Explorer and Opera properly supports the use of TLS 1.1 and 1.2. All other browser clients have bugs to be resolved and so TLS 1.0 is all that is available for the rest.

[essellar]

See the discussion on this point at Hacker News (not a "cracking" site, it's the news aggregator for the YCombinator startup community, where the word "hacker" is used in the Steve Wozniak sense).

[dynamo34]

This looks like a very serious issue that will take some time to resolve.
It seems that migrating to TLSv1.1 or 1.2 could cause large problems for server customers who's clients don't support those protocols. Apparently everyone that implements SSL on their servers must only use TLSv1.0 or risk breaking client applications.
Maybe we are months away from a resolution.

[theone48]

That is scary.

[xkiller21332]

so does it mean that after they've upgraded to TLS 1.1 then companies cannot snoop on their employees using gmail, paypal and stuff?

[chomel]

may update a SSL Sertificate its minimizing attacker to hack that really scary man....

[Livewire]

so does it mean that after they've upgraded to TLS 1.1 then companies cannot snoop on their employees using gmail, paypal and stuff?

Keep in mind a company doesn't need to monitor the actual connection for information if they can watch the screen; my other job has software installed so they can see what we see, albeit their screen doesn't update as quickly. Still gunna get busted on gmail if they use that

[essellar]

...and remember that the domain/IP address has to be sent in the clear, otherwise there's no way to route the request.

For the conspiracy theorists out there:

The TLS 1.0 vulnerability was announced as a theoretical possibility some five years ago. It has taken five years for someone to come up with an implementation -- and there have been a lot of people working on it, including some of the very few people who actually understand crypto well enough to make it happen. There is deep voodoo in the math that makes it possible; it's not something that your average IT department hack could have come up with. The announcement of the MitM exploit was immediate; these people actually care about security (and have a strong distrust for Big Brother; it's part of the infosec culture).

tl;dr: nobody's been eavesdropping on your HTTPS transactions so far. The window for that to occur has just been opened, and it shouldn't take long for it to be closed again. And it requires a man in the middle, so your neighbors can't snoop unless you're stealing wifi from them.