Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cherokee>
  3. users
Heads-up: Has TLS 1.0 been broken?
alvaro at gnu
Sep 20, 2011, 2:09 AM
Post #1 of 5 (1895 views)
Permalink
Folks,

You ought to be aware of this if you site relays on TLS 1.0:

"... The vulnerability resides in versions 1.0 and earlier of TLS, or
transport layer security, the successor to the secure sockets layer
technology that serves as the internet's foundation of trust. Although
versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely
unsupported in browsers and websites alike."

"... requires about two seconds to decrypt each byte of an encrypted cookie.
That means authentication cookies of 1,000 to 2,000 characters long will
still take a minimum of a half hour for their PayPal attack to work.
Nonetheless, the technique poses a threat to millions of websites that use
earlier versions of TLS"

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

--
Greetings, alo.
http://www.alobbs.com/
Re: Heads-up: Has TLS 1.0 been broken? [ In reply to ]
me at pigmej
Sep 20, 2011, 2:13 AM
Post #2 of 5 (1839 views)
Permalink
Yup...

Sadly it's true... the thing is... everywhere on the net there *is*
alternative... for TLS 1.0 there is also 1.1 & 1.2 but... nobody
implements it (except MS(sic!) and Opera)... seems to be similar as
situation with IPv4 and IPv6 'nobody cares'.


Greetings,
Jędrzej Nowak



On Tue, Sep 20, 2011 at 11:09 AM, Alvaro Lopez Ortega <alvaro@gnu.org> wrote:
> Folks,
> You ought to be aware of this if you site relays on TLS 1.0:
> "... The vulnerability resides in versions 1.0 and earlier of TLS, or
> transport layer security, the successor to the secure sockets layer
> technology that serves as the internet's foundation of trust. Although
> versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely
> unsupported in browsers and websites alike."
> "... requires about two seconds to decrypt each byte of an encrypted cookie.
> That means authentication cookies of 1,000 to 2,000 characters long will
> still take a minimum of a half hour for their PayPal attack to work.
> Nonetheless, the technique poses a threat to millions of websites that use
> earlier versions of TLS"
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
>
> --
> Greetings, alo.
> http://www.alobbs.com/
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>
>
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee
Re: Heads-up: Has TLS 1.0 been broken? [ In reply to ]
amoiz.shine at gmail
Sep 21, 2011, 1:52 AM
Post #3 of 5 (1828 views)
Permalink
在 2011-09-20二的 11:09 +0200,Alvaro Lopez Ortega写道:
> Folks,
>
>
> You ought to be aware of this if you site relays on TLS 1.0:
>
>
> "... The vulnerability resides in versions 1.0 and earlier of TLS, or
> transport layer security, the successor to the secure sockets layer
> technology that serves as the internet's foundation of trust. Although
> versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost
> entirely unsupported in browsers and websites alike."
>
>
> "... requires about two seconds to decrypt each byte of an encrypted
> cookie. That means authentication cookies of 1,000 to 2,000 characters
> long will still take a minimum of a half hour for their PayPal attack
> to work. Nonetheless, the technique poses a threat to millions of
> websites that use earlier versions of TLS"
>
>
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
>
>
>
> --
> Greetings, alo.
> http://www.alobbs.com/
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee

wow,your new email address is so COOL~ how did you get it? are you a
member of GNU project? Alvaro Lopez Ortega.(sorry for OT)

--
Best regards,
Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**)

Using Gmail? Please read this important notice:
http://www.fsf.org/campaigns/jstrap/gmail?10073.

Attached Files:

Re: Heads-up: Has TLS 1.0 been broken? [ In reply to ]
me at pigmej
Sep 21, 2011, 1:58 AM
Post #4 of 5 (1835 views)
Permalink
It's not *new* address of Alvaro :)


Greetings,
Jędrzej Nowak



On Wed, Sep 21, 2011 at 10:52 AM, Sharl.Jimh.Tsin <amoiz.shine@gmail.com> wrote:
> 在 2011-09-20二的 11:09 +0200,Alvaro Lopez Ortega写道:
>> Folks,
>>
>>
>> You ought to be aware of this if you site relays on TLS 1.0:
>>
>>
>> "... The vulnerability resides in versions 1.0 and earlier of TLS, or
>> transport layer security, the successor to the secure sockets layer
>> technology that serves as the internet's foundation of trust. Although
>> versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost
>> entirely unsupported in browsers and websites alike."
>>
>>
>> "... requires about two seconds to decrypt each byte of an encrypted
>> cookie. That means authentication cookies of 1,000 to 2,000 characters
>> long will still take a minimum of a half hour for their PayPal attack
>> to work. Nonetheless, the technique poses a threat to millions of
>> websites that use earlier versions of TLS"
>>
>>
>> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
>>
>>
>>
>> --
>> Greetings, alo.
>> http://www.alobbs.com/
>> _______________________________________________
>> Cherokee mailing list
>> Cherokee@lists.octality.com
>> http://lists.octality.com/listinfo/cherokee
>
> wow,your new email address is so COOL~ how did you get it? are you a
> member of GNU project? Alvaro Lopez Ortega.(sorry for OT)
>
> --
> Best regards,
> Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**)
>
> Using Gmail? Please read this important notice:
> http://www.fsf.org/campaigns/jstrap/gmail?10073.
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>
>
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee
Re: Heads-up: Has TLS 1.0 been broken? [ In reply to ]
amoiz.shine at gmail
Sep 21, 2011, 2:18 AM
Post #5 of 5 (1833 views)
Permalink
在 2011-09-21三的 10:58 +0200,Jędrzej Nowak写道:
> It's not *new* address of Alvaro :)
>
>
> Greetings,
> Jędrzej Nowak
>
>
>
> On Wed, Sep 21, 2011 at 10:52 AM, Sharl.Jimh.Tsin <amoiz.shine@gmail.com> wrote:
> > 在 2011-09-20二的 11:09 +0200,Alvaro Lopez Ortega写道:
> >> Folks,
> >>
> >>
> >> You ought to be aware of this if you site relays on TLS 1.0:
> >>
> >>
> >> "... The vulnerability resides in versions 1.0 and earlier of TLS, or
> >> transport layer security, the successor to the secure sockets layer
> >> technology that serves as the internet's foundation of trust. Although
> >> versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost
> >> entirely unsupported in browsers and websites alike."
> >>
> >>
> >> "... requires about two seconds to decrypt each byte of an encrypted
> >> cookie. That means authentication cookies of 1,000 to 2,000 characters
> >> long will still take a minimum of a half hour for their PayPal attack
> >> to work. Nonetheless, the technique poses a threat to millions of
> >> websites that use earlier versions of TLS"
> >>
> >>
> >> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
> >>
> >>
> >>
> >> --
> >> Greetings, alo.
> >> http://www.alobbs.com/
> >> _______________________________________________
> >> Cherokee mailing list
> >> Cherokee@lists.octality.com
> >> http://lists.octality.com/listinfo/cherokee
> >
> > wow,your new email address is so COOL~ how did you get it? are you a
> > member of GNU project? Alvaro Lopez Ortega.(sorry for OT)
> >
> > --
> > Best regards,
> > Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**)
> >
> > Using Gmail? Please read this important notice:
> > http://www.fsf.org/campaigns/jstrap/gmail?10073.
> >
> > _______________________________________________
> > Cherokee mailing list
> > Cherokee@lists.octality.com
> > http://lists.octality.com/listinfo/cherokee
> >
> >

this is my first time to discovery it :(

--
Best regards,
Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**)

Using Gmail? Please read this important notice:
http://www.fsf.org/campaigns/jstrap/gmail?10073.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal