Browsers address the problem of the "Beast" Web Security

Browser makers are finding ways to protect people with a weak security protocol that could allow an attacker to listen to or away from secure Internet sessions. Potential solutions include an option to disable Java in Mozilla Firefox. 

The problem - considered theoretical until a demonstration by researchers and Juliano Rizzo Thai Duong at a security conference in Argentina last week - is a vulnerability in the SSL (Secure Sockets Layer) and TLS encryption protocols (Transport Layer Security) 1.0, used to secure Web sites that are accessible by using HTTPS (Secure Hypertext Transfer Protocol). 

The researchers created a software program called BEAST (Exploit Against browser SSL / TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a "man-in-the-middle" (MITM ) type of attack. BEAST uses JavaScript running in the browser and can allow an attacker to spy on traffic, and the identity of a user by compromising the data of the session cookie used to authenticate a user with a site. More details and a video of the demo are on the blog Duong. 

Here are the answers of representatives of the major browsers: 

Firefox 

"We are currently evaluating the feasibility of disabling Java in Firefox universally install and update this post if we do," a position of Mozilla Security Blog said. "Firefox itself is not vulnerable to the attack. While Firefox does not use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack requires the ability to completely control the content of the connections from the browser, which does not allow Firefox. The attackers, however, identified weaknesses in the Java plugins that allow this attack. We recommend that users disable Java from Firefox Add-ons manager as a precaution. " 

Internet Explorer 

"We see this as an issue for low-risk customers, but we released Security Advisory (2588513) to provide advice and protection for clients with concerns," Jerry Bryant, Group Head of Communications Response Trustworthy Computing at Microsoft, said in an e-mail. To be clear, Internet Explorer depends on the implementation of these protocols in Windows, so that our mitigation and solutions applicable to the operating system and not the browser. We are looking at other ways to address the issue in both our products and within the industry and will update our guidance as it becomes available. " 

Chrome 

A representative of Google mentioned in a CNET blog post from late last week written by Adam Langley, a member of the Chrome team, which said the company was preparing and testing a workaround. "The attack is always a difficult question;. The attacker must have broadband access to the victim MITM This is typically achieved by being on the same wireless network as the victim," says the post. "Nevertheless, it is a much less serious than a problem that can be exploited by having the victim simply visit a Web page. (Incidentally, we pushed a fix to all users of Chrome for such a Flash bug only a few days ago.) " 

Opera 

Opera developed a fix and tried to send it in Opera 11.51 but found that changes in how the browser connects to the servers were "incomprehensible to thousands of servers around the world," Opera said in Sigbjørn Vik a blog. "This issue will be resolved by close cooperation between the browser vendors and webmasters. Since this can not be directly exploited in Opera, we decided to wait until we have an industry-wide agreement on how move forward. We test systems in place that can connect to secure millions of sites worldwide and to detect how these sites will react to changes in the protocol. We will share our results of these test s' performs with other browser vendors and interested parties, to give us a good basis for finding the best solution to the issue. " 

Safari 

Apple representatives did not respond to requests for e-mail or telephone for consultation on the Safari browser. 

Just upgrade to TLS 1.1, which is not vulnerable to the threat, will not work because almost all SSL connections using TLS 1.0, according to a study reported by Dan Goodin Qualys Register, which broke the story BEAST. In addition, "the upgrade TLS is surprisingly difficult, mainly because almost all widely used applications break fix or technology," he writes. 

Addendum, September 30, 11:50 PT: CNET called Mozilla and Firefox NoScript NoScript if the plug-in would protect against an animal-type of attack and did not hear back about noon Friday. However, researchers PhoneFactor, who published a white paper on how to mitigate the threat, said NoScript might help. 

"NoScript mitigate BEAST if both: 

A. The site is to serve all securely via HTTPS. Namely, any "mixed content warning" on the page. 

B. The user knows he should not be mixed content secure / insecure and refused to run any case the evil that is offered to him, " 

said Ray Marsh, senior software engineer PhoneFactor. 

"It's a lot to ask of any user. I run NoScript all the time and I do not know that I would pass the test myself, "he said in an e-mail." But in practice, users are still with NoScript will be miles ahead of users without malice when the applet comes around. It will take the attacker to have planned ahead for that specific target users, likely saving the user an attack on Iran network-style mass. "

Read More

Samsung unveils Android-based Galaxy Tab 7.0 PLUS

amsung has taken the somewhat surprising to unveil yet another tablet to strengthen its lineNicknamed the Galaxy Tab 7.0 Plus, the Android 3.2 (Honeycomb) based tablet with a 7 inch screen and 1.2GHz dual-core processor.In addition to 802.11n wireless support, the owners may also connect to HSPA + from the device. Storage on the side, customers will be able to choose from 16GB and 32GB versions, and a microSD slot provides the option of adding up to 32GB of additional storage for the tablet. The decision by Samsung to announce a new tab Galaxy 7-inch comes as a bit of a surprise, since the company already has a 7-inch tablet that launched last year. Earlier this month, the company unveiled a 7.7-inch tablet, along with an option of 8.9 inches.Samsung also sells a tablet of 10.1 inches. Whereas it was almost all form factors covered, who would have thought that amsung would need a fourth option to offer customers

? 

Samsung's announcement comes just days after Amazon announced its own, highly anticipated, the market participant tablet.This device, called Kindle Fire (full coverage), it lacks many bells and whistles in the Galaxy Tab Plus 7.0, including connectivity with wireless networks and mobile front and behind the cameras, butcompensates for this with a price tag of only $ 199

Kindle the fire, which also runs on Android, is scheduled for launch in November As for Samsung 7.0 Plus, the company says it will begin deploying the tablet to Indonesia and Austria in late October, followed by a gradual launch throughout Asia, the United States, Europe and around the world. Price was not disclosed, and Samsung did not immediately respond to the request of CNET for comments on this detail

Plus when the 7.0 is finally released, we do not know if it will face patent problems other tablets Samsung have encountered. From Australia to Europe, Samsung and Apple are locked in a bitter patent battle that saw the launch of the Galaxy Tab 10.1 held in Australia and has blocked the sale in Germany. Samsung smartphones were also attacked. 

Read More

Rumor on the iPhone 64GB re-emerges

Can sports next Apple iPhone doubling the storage of current models of the company? It's the latest rumor, or at least the last revival of such statements.Citing the same anonymous source model numbers assumed for iPhones and iPods, which entered the new system of Apple retail inventory earlier this week said 9to5mac refresh the Apple iPhone will make three different models with capacities storage. This is in contrast to the current range of Apple, which has a 16GB model and 32GB model.The decision suggests that the third model will have 64GB of storage, the storage options available on the corresponding iPad since the first generation model.There have been some signs of Apple iPhone models tested higher capacity that the sequence never made it to market. For example, in March, China's technology-based MIC Gadget blog said it had obtained a "prototype designed" iPhone 4 with 64 GB of storage on board. Taking pictures displayed on the device andsaid its production information suggested it was produced in early 2010, in advance of the iPhone was announced 4.Adding to this was what appeared to be a development version of the iPhone 4 white, sporting 64 GB of storage and what looked like an early version of IOS 4. This device appeared on the site Tinhte Vietnam in April and is the same outlet that got ahold of the iPhone ahead of its four official announcement.One thing that remains clear is that Apple can fit 64 GB of storage in the amount of space, as is done on his iPod Touch since the third-generation model in 2009. The interesting thing is now to the extent local storage plays a role in the future of the iPhone. With the launch of the next probable along icloud iPhone, Apple is to help users get away with less storage, file storage and application information on its servers, and allows users to remove and re-download songs and videos when space is needed. This is far from a "cloud iPhone" where there is no storage at all, but it is the building block for such a possibility.All that being said, more storage is certainly an interesting feature for some people, especially those who like to keep a lot of media on their device and install large applications.Apple is holding its "iPhone Talk" event next Tuesday, where the company should take the veil on its next iPhone.

Read More