Website security is more broken than we thought

[vorsprung]

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Executive summary:  the special secure method used to make the communication between your PC in your house and a remote server that you might be using for banking, buying things, accessing confidential information etc etc has been beaten and is no longer able to keep these exchanges confidential

If this method gets into widespread use, Internet shopping will become impossible.  Yes there is a fix, it involves updating the browser (Firefox or whatever you run) and also the server out on the Internet.   The fix has not been implemented yet so is likely to be weeks away

[Greenbank]

It's not good, but if you read the details of the exploit you'll find it isn't as doom-mongery as you'd imagine.

It can't be used to decrypt an HTTPS session that occurred in the past. It requires a man-in-the-middle attack to inject some javascript into the page in question so that it is executed whilst browsing that site in order to pad the block-chain cipher functions with enough of the right data that it starts spitting out the cookie data encrypted in a less secure way.

In the 10 minutes it takes to do its magic most people will have completed the transaction and, hopefully, clicked on the 'logout' button, so the cookie for the Paypal session will be useless.

[Riggers]

Greeners? I understood the words '10 minutes', and others like, 'magic', 'useless'… and stuff. But I must confess, unless some of the technical shinanigans has got words in like 'kittens' and 'fluffy bunnies', it goes over my little wooden head.

[andygates]

That's a clever exploit!

[Hot Flatus]

Greeners? I understood the words '10 minutes', and others like, 'magic', 'useless'… and stuff. But I must confess, unless some of the technical shinanigans has got words in like 'kittens' and 'fluffy bunnies', it goes over my little wooden head.

It's ok, Riggers. Unless you bear some sort of resemblance to the person below, you cannot be expected to make sense of this stuff:



 

[Tewdric]

Greeners? I understood the words '10 minutes', and others like, 'magic', 'useless'… and stuff. But I must confess, unless some of the technical shinanigans has got words in like 'kittens' and 'fluffy bunnies', it goes over my little wooden head.

It's ok, Riggers. Unless you bear some sort of resemblance to the person below, you cannot be expected to make sense of this stuff:



 

That's you in 10 years time that is, if you keep audaxing...

[Hot Flatus]

Damn. You might have something there...better get the hacksaw out and stop the rot

[Jaded]

Cool glasses.

[arabella]

It can't be used to decrypt an HTTPS session that occurred in the past. It requires a man-in-the-middle attack to inject some javascript into the page in question so that it is executed whilst browsing that site in order to pad the block-chain cipher functions with enough of the right data that it starts spitting out the cookie data encrypted in a less secure way.

In the 10 minutes it takes to do its magic most people will have completed the transaction and, hopefully, clicked on the 'logout' button, so the cookie for the Paypal session will be useless.

It can only happen while you are actually on line with paypal.
To happen, someone/thing needs to 'see' you are doing a transaction, then alter the page you are doing to tweak 'stuff' in order to get at the data required.
Unless you are still on line at that point you are safe.

Summary: don't take any longer than you need.

[sas]

Summary: don't take any longer than you need.

That's not practical for Facebook or GMail though.