Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.
Juliano Rizzo and Thai Duong say the vulnerability compromises TLS (Transport Layer Security) 1.0, the encryption mechanism that secures Web sites accessed using HTTPS (Secure Hypertext Transfer Protocol). TLS is the successor to SSL (Secure Sockets Layer) and is widely used at financial sites. Companies, including Google, Facebook, and Twitter, are urging the wider use of TLS on the Web.
The exploit – demonstrated with a tool called BEAST – targets a flaw that could leave transactions open to attack and is being taken seriously by online payments firms."We have got a team of security people and it is always working on updates and upgrades and they are looking into this already," a PayPal spokesperson told PC Pro. "The details are still to be revealed, but the security people are trying to get a headstart on making sure this is kept secure."
BEAST requires attackers to gain a man-in-the-middle position. Most of the time this means that they need to be on the same network as their targets so they can intercept browser requests.BEAST has two components. One contains code that must be loaded into the victim's web browser and the second one captures and decrypts HTTPS session cookies. The researchers claim that they can decrypt any secure session cookie in five minutes on average.