Browser makers are finding ways to protect people with a weak security protocol that could allow an attacker to listen to or away from secure Internet sessions. Potential solutions include an option to disable Java in Mozilla Firefox.
The problem - considered theoretical until a demonstration by researchers and Juliano Rizzo Thai Duong at a security conference in Argentina last week - is a vulnerability in the SSL (Secure Sockets Layer) and TLS encryption protocols (Transport Layer Security) 1.0, used to secure Web sites that are accessible by using HTTPS (Secure Hypertext Transfer Protocol).
The researchers created a software program called BEAST (Exploit Against browser SSL / TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a "man-in-the-middle" (MITM ) type of attack. BEAST uses JavaScript running in the browser and can allow an attacker to spy on traffic, and the identity of a user by compromising the data of the session cookie used to authenticate a user with a site. More details and a video of the demo are on the blog Duong.
Here are the answers of representatives of the major browsers:
Firefox
"We are currently evaluating the feasibility of disabling Java in Firefox universally install and update this post if we do," a position of Mozilla Security Blog said. "Firefox itself is not vulnerable to the attack. While Firefox does not use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack requires the ability to completely control the content of the connections from the browser, which does not allow Firefox. The attackers, however, identified weaknesses in the Java plugins that allow this attack. We recommend that users disable Java from Firefox Add-ons manager as a precaution. "
Internet Explorer
"We see this as an issue for low-risk customers, but we released Security Advisory (2588513) to provide advice and protection for clients with concerns," Jerry Bryant, Group Head of Communications Response Trustworthy Computing at Microsoft, said in an e-mail. To be clear, Internet Explorer depends on the implementation of these protocols in Windows, so that our mitigation and solutions applicable to the operating system and not the browser. We are looking at other ways to address the issue in both our products and within the industry and will update our guidance as it becomes available. "
Chrome
A representative of Google mentioned in a CNET blog post from late last week written by Adam Langley, a member of the Chrome team, which said the company was preparing and testing a workaround. "The attack is always a difficult question;. The attacker must have broadband access to the victim MITM This is typically achieved by being on the same wireless network as the victim," says the post. "Nevertheless, it is a much less serious than a problem that can be exploited by having the victim simply visit a Web page. (Incidentally, we pushed a fix to all users of Chrome for such a Flash bug only a few days ago.) "
Opera
Opera developed a fix and tried to send it in Opera 11.51 but found that changes in how the browser connects to the servers were "incomprehensible to thousands of servers around the world," Opera said in Sigbjørn Vik a blog. "This issue will be resolved by close cooperation between the browser vendors and webmasters. Since this can not be directly exploited in Opera, we decided to wait until we have an industry-wide agreement on how move forward. We test systems in place that can connect to secure millions of sites worldwide and to detect how these sites will react to changes in the protocol. We will share our results of these test s' performs with other browser vendors and interested parties, to give us a good basis for finding the best solution to the issue. "
Safari
Apple representatives did not respond to requests for e-mail or telephone for consultation on the Safari browser.
Just upgrade to TLS 1.1, which is not vulnerable to the threat, will not work because almost all SSL connections using TLS 1.0, according to a study reported by Dan Goodin Qualys Register, which broke the story BEAST. In addition, "the upgrade TLS is surprisingly difficult, mainly because almost all widely used applications break fix or technology," he writes.
Addendum, September 30, 11:50 PT: CNET called Mozilla and Firefox NoScript NoScript if the plug-in would protect against an animal-type of attack and did not hear back about noon Friday. However, researchers PhoneFactor, who published a white paper on how to mitigate the threat, said NoScript might help.
"NoScript mitigate BEAST if both:
A. The site is to serve all securely via HTTPS. Namely, any "mixed content warning" on the page.
B. The user knows he should not be mixed content secure / insecure and refused to run any case the evil that is offered to him, "
said Ray Marsh, senior software engineer PhoneFactor.
"It's a lot to ask of any user. I run NoScript all the time and I do not know that I would pass the test myself, "he said in an e-mail." But in practice, users are still with NoScript will be miles ahead of users without malice when the applet comes around. It will take the attacker to have planned ahead for that specific target users, likely saving the user an attack on Iran network-style mass. "
Posts
0 التعليقات:
Post a Comment