Linked by HAL2001 on Tue 20th Sep 2011 21:48 UTC
Privacy, Security, Encryption After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, VASCO announced that DigiNotar, filed a voluntary bankruptcy petition and was declared bankrupt today. This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe.
Thread beginning with comment 490329
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: No big surprise here.
by Lennie on Thu 22nd Sep 2011 08:22 UTC in reply to "RE[2]: No big surprise here."
Lennie
Member since:
2007-09-22

Old versions of the SSL/TLS protocols are vulnerable to known adaptive plaintext attacks.

So an attacker has to be able to send a plaintext based on the analyzes of the HTTPS-traffic he/she sees and inject it in the HTTPS-traffic.

Which he/she can with JavaScript from an other page.

The problem is 3 things:
1. the browser allows pages on domain-X to talk to other domains. You don't even need JavaScript for that, it has always been possible.
2. the browser re-uses the same HTTPS-connection (or session-cache) for different pages
3. biggest problem is that that the old protocols don't seem to go away.

It is like the IE6-problem for webdevelopers.

For example all versions of IE on Windows XP do not support TLS/1.1 and TLS/1.2. They have no protection against this problem.

But most other browsers and server do not supoprt it either and those that support it have it turned off by default.

Because there are servers that only speak the older protocols which refuse to talk to clients that say they _also_ support the newer protocols.

Reply Parent Score: 2