Hackers break SSL encryption used by millions of sites Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the …
My understanding of the attack is that the attacker MITM's a random non secure http response body, and injects javascript into it, which initiates cross site requests from the target browser to the target https page. The attacker then watches the https traffic and can learn interesting information from it.
The fact that your bank has javascript in their pages doesn't help or hinder the attack.
As I use the Firefox addon RequestPolicy, I should be immune from this attack. The attacker wont be able to initiate the cross site requests unless I tell RequestPolicy to allow them.
I think Pierre (?) means that he can disable Javascript in his web browser and so have no exposure to client-scripting attacks, but that his bank's web site doesn't work unless Javascript is turned on.
Opera - for one - can enable Javascript site-by-site, but I'm not sure if that's a cure.
I'm not convinced that the attack will *require* javascript to work. Will have to wait and see when it's demonstrated on Friday. If all it requires is lots of slightly different cross site requests, it can probably be initiated by injecting lots of hidden img tags or similar into the launch page, rather than injecting javascript.
He will only be susceptible to this attack if he visits other sites at the same time as being logged into the bank website. You shouldn't be doing this anyway because of the prevalence of XSS and CSRF vulnerabilities. This attack just gives you another reason.
On your version of Windows no less.
XP Professional with IE8 only supports TLS 1.0 and SSL 2.0 and 3.0. Windows 7 with IE8 on the other hand supports TLS 1.0, 1.1 and 1.2 where, as others said before me, 1.0 is the default. The SSL support hasn't changed.
You can find this yourself by going to your control panel and pick internet options. Either directly or through some category layer. Or select this option from within IE.
Then check the 'Advanced' tab (last one). In the list somewhere you'll find the checkboxes where you can select what you want to enable.
Did you actually read the second page? it doesn't give a reason why it isn't enabled by default.
Now, if you look at the one of MS' blogs you will find a post where they say they have left it disabled because some websites break. Let's try a few keywords on google: "internet explorer tls 1.2 disabled", OMG! it's magic!
http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx
Now, have you READ this? "?!?!"
Indeedely-doo, by the look of it,MS did not make it the default in IE to "not break the intarwubs" (or something to that effect). Let's assume that MS are not lying through their teeth as the sloppy spiteful sneaky snake they are, and that their implementation of TLS 1.+ is not actually full of bugs: I know that's a hell of an assumption for some of you beloved readers but bear with me for a sec. Breathe deeply, take your heart medication , an only then read the following.
MS set the defaults in IE so that they don't break the websites that are not specifically built for IE.
Spooky, huh? Told you so.
OK, just kidding, you can start breathing again, they did that at the cost of security, they're still good old MS*. We have the tech and the reach to force-steer the sheeple** in the right direction, and maybe get some tech cred back, but no, it might temporarily startle the sheeple, let's have these Norse guys take the bold step and see what happens, we have dull patents and sharp lawyers, if it ever takes off we started it. Hey, it worked once with that Finn guy, half the industry still believes that we own his stuff***. Norse is a kind of Finn, right****? Let's do that again.
Shit, that post sounds silly. But it still makes me chuckle like a nubile nun in a tickling contest. Oh well, Guy F. mask, here I come.
* I know, right.
** Mistress Bee's away, some words might be allowed again.
*** I know that, too
**** and also that
You can initiate SSL transaction that will be compatible with both SSL and TLS at the same time, later on you act depending how the server answers (whatever it's a SSL or TLS response).
The problem is that from TLS side it doesn't allow the server to choose TLS1.1 or TLS 1.2. Announcing TLS1.1 compatibility on client side breaks servers that can't deal with proper TLS requests. Even Opera did this for a long time because of that, only Opera 11 has enabled TLS1.1 and TLS1.2 by default, earlier versions required setting it manually and indeed made communication with broken servers impossible.
What's worse, most "TLS vouln patched" web servers refuse connection if you try to connect using the (currently hypothetical) TLS2.0, so no, people implementing libraries haven't learned.
On one hand, the more I read about current security problems the more I think that there should be some kind of a "computer programming/administration license". On the other hand I look at the morons that get licenses as architects and see there's just no hope for it to actually weed out the idiots. Holding the retards responsible for the damages they cause, along with their managers, and banning for any computer use more complicated than posting on Facebook would go a long way... probably.
Still, as long as most of people are only a bit better than trained monkeys and three fourths of society is completely retarded as far as computers go, we're screwed.
Although they are doing what they should (using more secure protocols) I'm not sure that's an overwhelming reason to use the browser given it'll have to negotiate down to 1.0 and therefore be susceptible to the same attack. Kind of a chicken and egg problem in that if nobody else implements higher versions of TLS in their browsers then websites won't use them for fear of losing customers so you get no real gain in the end. It's shit, but that's life. Hopefully, as noted in the article, this will force the browser vendor's hand seeing as changes only come through exploits existing.
And here we thread the same ground. Show me Opera offering something like NoScript, with a simple clicky interface and access controls to ALL included scripts, not just the ones on the current site. Plus auto blocking of Flash and PDF, easy to choose to allow. Based on a white list concept (it's a bit late disabling those you don't trust).
BTW, it doesn't matter what protocols Opera provides if the sites don't use them. ;-)
Opera gets a bad rap, but most people honestly haven't tried it for a month.
With my current Opera setup (migrated from something ridiculous like Opera 3.5 - nothing fancy or third-party), all flash and java apps appear as a big white play button. Until I click that, zero code of the appropriate plugin executes. And when I click it, ONLY that particular app runs, and no others on the same page.
Why you'd want to sit and rely on a white-list to do such things, I have no idea. Most flash/PDF/Java compromise is via injection into known-good servers, or people wouldn't be viewing them in the first place. Better that you "play" only the apps you want on only the sites you want, when you want. Also - this means you remove the crap that runs on the same servers and run ONLY the game/advert/application that you want on a page (and NOT automatically - which is a BONUS).
I'm not at all sure the point of seeing every script, either, to be honest, but there is work that way via Opera Dragonfly in the last few releases (but never seen the need for it, so never use it, but they're always talking about exactly that).
The problem is not that you couldn't use Opera. It's that you're used to working a certain way, and defiant that it's the only way. Every time Opera upgrades I think "oh, damn it" because they'll have changed something about the way I work. 99.9% of the time I end up liking it better (their user-testing team must be GOOD, and that's coming from someone who's sticking with XP and Office 2003!), the rest I revert the changes using the built in config dialog.
For years, I was a Netscape nut purely because it was the only half-decent user-browser of the age. Then it died and IE / Firefox cropped up again. Back then, Opera was scary and threatening but when their first ad-supported version came out, it was surprising comfortable using it compared to the other "ad-free" browsers. Now that all browsers are ad-free, Opera still hasn't left me and is also my primary email client too - mainly because, as a network manager, their forethought for security and standards is unsurpassed. They always get there before everyone else - the problem is that nobody thinks they will need it until it's too late, and by then the other browsers bolt-on the same code with lots more bugs.
You just have the words "NoScript" plugged into your brain and unless you get exactly that on every browser, you're not interested. But, seriously, have you tried Opera for a month, migrating your email, using it exclusively, etc. for a half-recent version? Most Opera users have zero extra "plugins" or "scriptlets" or "widgets" running at all. Because you just don't need them with the default config.
I honesty don't understand any more how people struggle through with IE or even Firefox. I have to support both, so use them all the time, but it feels the same to me as running Windows 95 in this day and age. They feel old, clunky, thoughtless, and their best features are outside-code that you have to install yourself.
All I need is for Opera to do a deal with the Pidgin guys and incorporate their code into Opera's sadly under-used IM / IRC code and I'll never carry another program around with me when it comes to online communication.
Opera was amazing for a while, then somewhere around version 10 to 11 they seemed to lose track of the things that made the browser good - it got slow, clunky and it kept failing to work on sites I use regularly so after sticking with Opera since version 6 or thereabouts, I switched to Chrome.
Then Chrome started getting slow and clunky - it seems like Chrome installations accumulate cruft like crazy and you have to just reinstall and lose all your profile data on a regular basis - and I went back to the old faithful to discover that as of 11.50 they seem to have bucked their ideas up and it's working nicely again.
It may be annoying that most users ignore the most useful browser, but I guess it saves Opera users from being targeted by malevolant scripts...
Maybe that's the problem- it's too obscure for the masses, yet slightly too complicated/quirky for the average technical user to make it work how they like it. I am a technical user, yet didn't manage to work out how to do the "white box until you click play" thing- and I was trying. Yes, it can be done, but if it takes longer than my attention span to figure out how because it's different from what I'm used to, then that's quite a big negative for me, and evidently many others. I know that probably sounds idiotic, but it's unfortunately how people work.
It seems only power users willing to explore it in depth can get it working the way they want it (you admit yourself to being a network manager), and that is a very small market segment. Thus I think it falls between two stools. The people who get to know it properly seem to love it and tend to evangelise about it, but most people can't be bothered to put the time in when they're basically happy with Chrome/Firefox/god help us IE.
On the plus side, I quite like Opera Mobile on my tablet. But that's a different thing altogether really.
"Opera gets a bad rap, but most people honestly haven't tried it for a month."
Couldn't get along with it for a full month. I've never called it a bad browser, though its fanbase are even more annoying than Apple's. The simple reason I use FF is that it works the way I want it to. I'm a developer, and as far as I'm concerned, Firefox has the most consistently accurate rendering of all the browsers. It's also a lot faster in recent versions, and once you start building on top of its base functionality, the plugins I have installed have made it invaluable as a development tool.
For example, just the other day I discovered Poster, which is a tool for simulating POST/GET requests to APIs. Sure, there are other browsers and other add-ons which make this possible, but it's just such a well-made, nicely laid out and straightforward add-on that I've now installed it on every machine.
Being able to customise FF to *exactly* how I want it is what makes it perfect for what I do. My downloads open in a tab because I want them to, I've changed some of the menus, Flash only plays when I want it to, I never see ads, and I can literally edit pages in place, enable/disable their various features, etc. Firebug is so awesome that other browsers have almost copy-pasted it into their own interfaces, and extending it for Drupal/Moodle/PHP is just damned handy.
The awesome bar is also an absolute killer. It works better than anything I've used in any other browser, Chrome and Opera included. I almost never have to go directly into bookmarks or recent history, because it's just so good at finding what I'm looking for.
The same thing has happened with my phone. I used to use Opera Mobile, but since FF mobile got its act together and sped up a bit, I now use it exclusively. It syncs, just like Opera, but it brings with it the same features that I love from the desktop version, like the awesome bar, and for fullscreen browsing it's the best damn mobile browser out there. It had a rocky start, but it's gotten really quite good.
Opera's not bad, and if it wasn't for the spyware Chrome would be alright, but FF is just...better for me. Note: for me. You want to use Opera, that's dandy, but what you see in it isn't necessarily what's useful or right for other users.
Seriously though, Opera's fanbase don't help. You don't see roving bands of Chrome users posting on every browser article and downvoting anyone that speaks out against it, do you?
----
Firefox has the most consistently accurate rendering of all the browsers.
----
I'm not entirely, 100% convinced by that any more - FF does have the odd quirk I've found recently (some strange things happen when you style "buttons" or try to make anchor tags mimic those buttons in appearance).
Still, as a web monkey, I tend to always fall back to FF for the Developer Toolbar, HTML Tidy (in view source), ColorZilla and a couple of accessibility testing plug-ins... for actually using the web browser as a web browser though - I think Opera is better (apart from the fact that it tends to render fonts a little smaller).
----
Most Opera users have zero extra "plugins" or "scriptlets" or "widgets" running at all.
----
I've got a chess widget, does that count?
Oh - and one that allows you to blow up the website with a little Asteroids style spaceship, you can shoot the HTML Elements to make them go boom - quite therapeutic :)
Yes, actually I tried Opera for a while (I think two weeks, exclusively, and I didn't like it). I use it for downloading from fileshare sites because FDM doesn't work and Firefox has an annoying habit of dropping downloads early and then saying "completed". However I try to avoid it for the level of controls provided are insufficient for me.
You know, NoScript is not a mantra for the paranoid. I guess if you think the things you've written about it, you really don't understand what it is for. It is more than script blocking. That big white play button? For an unapproved site (which is most of them), NoScript does the same thing.
I am running Opera 9.something (v10 just will not work on my system, it dies on startup with no log file or message, and my request for help to Opera was met with silence, so I don't plan to continue any further - it is polite in the case of a DLL cockup (or whatever) to at least dump some sort of message to the user. Anyway, Opera 9, out of the box, default setup. Shows me ALL the adverts and ALL the annoying crap that I use plugins in Firefox to get rid of. That is one of the nice things about Firefox. I can "plug in" the functions I want. I have Rikaichan installed and available. Given it's a fairly complete Japanese dictionary system, I think most people here would be a bit annoyed if this was part of Firefox's core. But as it is not, it is something the can be added at will by the end user.
I honestly don't understand why people rave so much about Opera which is a middle-of-the-road browser. Opera offers "widgets", but that's like a really basic plug-in with serious flexibility issues.
Kudos to you for trying it. You can't ask for more than that.
And actually, I know what NoScript does. Which is why I say that it's nothing that Opera can't do. If you're that paranoid that you only want scripts to run on certain sites (as we've established, all netscape-compatible plugins like Java and Flash are already handled this way in Opera with "play-button" mechanics), you would disable Javascript (F12, click the obvious highlighted option) and add sites one at a time to a whitelist (F12, Site Properties, Scripting tab and choose what you WANT the site to be able to do).
It's not single-click but for the amount of times you should actually be whitelisting sites (if that's the way you want to play, rather than just, say, having it switched on) it's not a hassle in the least.
While you're there, you can also configure site-specific options on the other tabs of the same dialog - cookie policy, popup policy, images, animated images, plugins, frames, individual groups of Javascript capabilities (e.g. Allow Script To Hide Address Bar), referrer info, proxies, whether to allow caching, user-agent-spoofing etc. On one menu, built-in, right in the default install of the browser, and with settings that transfer to all your machines if you so wish (you can even right-click instead of pressing F12, if that's too hard to remember). Or you can just override all sites with a blanket setting that applies to them all. Sure, there may be an option or two that NoScript and a handful of random plugins have on top but it won't be anything killer, and you don't need to worry about updating the damn thing every time the browser changes the plugin interface, and you don't need X amount of plugins to do so. It's literally out-of-the-box functionality and has been for a long time - and more importantly most of it was there BEFORE NoScript and others even existed.
Your Opera 10 problems are your own, besides the fact that we're on 11.51 now. On all the machines I've ever managed (that's how long I've been installing it as the default) the only problem I have is on a single server that has a known procedure_entry_point error because of a MCVCRT file compatibility problem. It still runs, it just pops up a dialog first. Hell, it even works from a single shared network folder for dozens of users simultaneously - and a lot neater than trying to bundle Firefox MSI's onto corporate machines (Ick!) has been in the past. Whether a clean install or an upgrade (like I say, my Opera profile is carried forward from some ridiculously old original profiles).
Now, the Japanese thing I'll have to concede - not because I know that Opera won't do it, but because I have never needed to install a non-western language into any installation, ever. But I'd be very surprised if there weren't half-a-dozen Opera "extensions" that did the same thing without executing native code, no need for the Netscape plugin API that's common to all the browsers, Opera included (how do you think we run the latest Flash, Java, VLC plugins, etc.?). (Opera Widgets are a security-sandbox for plugins that actually integrate into the browser much better - the equivalent of a Firefox extension rather than a plugin - and just as powerful).
Opera isn't "middle of the road". It's quite often "cutting edge" and other browsers play catch-up. That's kind of the point that most Opera users will make. You say "Oh, the NoScript plug-in adds that functionality" and we say "We've had that in the default build since before that plug-in even existed".
And that's BEFORE you even delve into a proper configuration dialog at opera:config (which does have EVERY option you can use, unlike Firefox which makes you plug some of the more obscure ones in yourself manually).
I don't require people to USE Opera, I just think they should actually seriously trial it. There may be use-cases where it doesn't fit, but it's the only browser I trust for every job from giving it to computer-newbies (it's pretty damn hard to break your computer by viewing sites in Opera, even if you try - years of experience has taught me that it's the only "safe" option that people really have a hard time trying to mess up) right up to installing it across hundreds of machines, kiosk-mode internet terminals (built-in kiosk modes, automated slideshows, and URL filtering to keep people on your intranet, for example), home use and serious IT Office use. And strangely, that's because it *doesn't* compromise - my home setup is much more complicated than anything I use in work, which is locked down immensely.
Thanks for the reasoned posting (I wonder why it was downvoted?). One of the big issues I have with Opera (I have JavaScript off by default) is that... let's say I want to access YouTube, and decide to thusly give YouTube.com permission ... the site only partly works because there's stuff pulled in from yimgs.com. It isn't exactly obvious how to permit yimgs.com *plus* (unlike NoScript), you have to take the page apart to figure out what those other domains are.
Paranoid? You call me paranoid? You *do* read El Reg regularly don't you? Look how many exploits are ultimately scripting, PDF, or Flash turning up when it isn't asked for. If being "proactive" about censoring what turns up on my system is "paranoid", then so be it.
As we're up to Opera 11, I'll give it a whirl, see if it works. I just *wish* there was some sort of message. For the record, Opera 10.x is the *ONLY* program I have that "just dies" on startup without any sort of message. The other is the VB IDE if I dick around within the Windows API and stop the program using the Stop button instead of the proper exit handler function (which releases the pointers, etc).
At work we have a SiteKiosk machine running IE6 with some *ancient* version of Flash on XP with no service packs nor built-in antivirus. I ran phpinfo() on my site and looked at the information provided by the client and almost died. How in this day and age...!?
I concede that Opera seems to have a lot of out-of-the-box functionality, but then I think the Firefox mentality is ultimately different in that it is a fairly 'basic' browser core, to which you then add in the things you want, a pick'n'mix selection of what you like. For instance, I have (thanks to a recommendation here on El Reg) a plug-in called "BarTab" so I can keep my several-dozen tabs between sessions, but on startup, Firefox will load the last tab, not *all* of them. Speaking for Opera 9 (might have changed later), if I have a bunch of tabs open and I click the close button, the application closes. No prompting about the tabs. [I know this is correct, I just tried] Perhaps there is some option to alter this - if so, why isn't it on by default?
Okay. I'll try Opera 11...
Follow-up: Opera 11 installs, then promptly dies on a fetch of ElReg with:
Opera.exe 1087 caused exception C0000005 at address 0269F0D0 (Base: 400000)
I've reported half a dozen crashes, Opera's own site works on Opera 11, El Reg always fails. I didn't bother trying much more, I'm writing this from the reverted Opera 9.64 (aka the one that works) having managed to find/recover my bookmarked stuff. I don't expect a reply, it's rhetorical, but just know that in some cases (sample of one ;) ), Opera is not the be-all. In fact, given my experiences, IE8 is *more* reliable! <stir!><stri!> As I said, the only reason I keep Opera around is because Firefox sometimes drops the end off of larger downloads and reports "done" instead of "incomplete"...
Oh well.
Pity that MS haven't chucked out a new version of IE8 for a while. Perhaps the 50% of their entire customer base who can't use IE9 are just going to be abandoned. Or perhaps MS will tweak IE8 to display the following message when you type https: in the address bar...
"Internet Explorer does not support secure web connections.
It's just for games, you know. It's not a proper browser.
We recommend using Opera for anything involving money."
Except that, if you recall, there was a small court case where MS swore blind that IE wasn't part of the OS, and XP embedded (also restricted in its browser support) is supported through to 2016, and vanilla XP is still in extended support.
Oh, and regardless of what MS might *wish*, 50% of their customers still use it. So ... do MS give a rat's arse about their customers, or don't they? It will be instructive to see.
Is it me or is this the biggest security news of the last 5 years? I am actually going to wait and see how other security researchers respond to this before reacting because it seems to big to be true. If its true then I think its a good reason why developers, IT admins and software companies need to slow the Fu#$ down.
You know, not having a credit card or doing online banking (yes, I am a Luddite); I should not care.
But.
How long before some (less than nice) internet provider uses this to do deep packet inspections on the HTTPS sh*t that we had to go through hell to convince some of our cheap customers to purchase?
Real world here, there do not seem to be any honest people on the trunk side of the internet*.
*Yeah, like heavy breathing though a mask will help.
There should be no client side scripting or code running. Anytime you hear about a website infecting a computer in drive-by it is because of javascript. ( unless of course it is plain user stupidity by clicking and executing whatever link he/she is shown )
No javascript would mean no popups , no fake antivir nagscreens and more of this nonsense.
Anyone know a browser that does not support javascript ? ( no firefox doesn't count... being able to turn it off is not security, someone or something may find a way to turn it back on. I am talking about a browser that doesn't have javascript support. )
Yes, JavaScript is a pest. Unfortunately, all that weird AJAXy stuff means that browsers can't just get rid of it, and all this Web 2.0 crap is further extending JS use. Unfortunately, other client-side web code solutions have failed to get off the ground (Java Applets, JavaFX) or are even worse in the security dept (ActiveX) so it seems we're stuck with it.
Then you've got Apple toting the "HTML5" banner, and it's going to be harder to get rid of JS...
Saying Javascript is the problem, because it is used in exploits is similar to saying "the problem is browsers. If you didn't use a browser you wouldn't be compromised". Possibly true, but you wouldn't have much fun on the internet. Similarly turn off javascript and many many interesting websites don't work. And they're not all using it just to annoy you. For many the functionality is required.
No JavaScript would also mean many, many more page reloads to validate form data (rather than winging it around behind the scenes with AJaX).
Still, I'd argue that on any website where you're actually trying to sell anything JavaScript _must_ be optional - which is a pain from a developer standpoint; for instance, I load in the address format based upon the country selected (postcodes are optional in Ireland for instance) ... if the customer changes country I need to load in a new address format - without using JS/AJaX that means a whole page reload. The whole step-by-step process of completing an order is a whole lot more clunky without JS... it works, but it's clunky.
JS is a useful tool for hiding complexity in web applications from end users.
why can't we have a server side push to update a single element on a page.
it should be possible to create an updatable section of a page. Browser could respond to a change in a textbox or a pulldown list by sending a request to the source of the webpage. ( there would be no override )
let's say you have a page with a pulldownlist a textbox and a submit button served from www.myserver.com. The definition of this textbox,list and button sits between special html tags <section='reply'>
change the pulldownlist 'country'
browser sends : www.myserver.com/session=kdfjskdfhj:country='new zealand'
This tiggers that the temporary user 'kdfjskdfhj' just changed his pulldown list to something new.
The browser now pulls in www.myserver.com/session=kdfjskdfhj:section=reply?
where the server has posted the updated html code for that portion.
you would not need scripting. html would be extended with 'area's that can be updated by the server. this would avoid full page reloads. only the html code for that portion is updated. since the layout does not change the browser is speedy too : it only needs to repaint that section.
the mechanism woudl be made in such a way that there is no 'go-to' address avaialble. the browser can only send it back to the machine that served the page in the first place. so no spoofing there either.
..."an attacker slips a bit of JavaScript into your browser"...
If an attacker is slipping bits of javascript into your browser, on an encrypted page no less, you've already got bigger problems.
You know how your browser pops up a warning if it's showing you a page composed of both encrypted and unencrypted content? Don't ignore those.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
