More SSL Issues

So it seems the high amount of SSL news will continue through this whole week. Starting off with DigiNotar filing for bankruptcy after their recent compromise. Especially when word was released that over 200 certificates were issued during the compromise.

Then we find out that researchers have discovered A vulnerability resides in versions 1.0 and earlier of TLS.  Their new tool, BEAST, is going to be released at the Ekoparty Security Conference. Our intrepid researchers say they've figured out a way to defeat SSL by breaking the underlying encryption it uses:

“While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

This is also being discussed on the ISC Diary and other places, as there is some debate on whether or not this type of attack was discussed already in an earlier paper. Google has already included a work around in the developer version of Chrome, but i don't think there has been word on when the fix/ work around will be introduced in the consumer version of the browser.




Much going on in the SSL/TLS world still........

need to update once again.............

This is just a quick reminder to everyone in the wide internet world, that the recent CA getting hacked has resulted in over 500 invalid certificates being issued for very popular websites. Updates for various products are being released today and in the past few days, please make sure to update your OS, your browser, and any other application that can go on the internet.

TOR announcement of compromised certificates
This is the complete list of domains compromised.

More Fake Certificates

ouch!

Another certificate issuer hands out fake certificates. well not fake necessarily, but certainly not for the business or service intended for.

EFF Post