The Register is reporting that:
"Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser."
In essence, the researchers (Thai Duong and Juliano Rizzo) intercept and decipher the authentication cookie on a secure connection: They plan to demonstrate the attack later this week at the Ekoparty Security Conference.
The attack is only effective against earlier versions of the TLS protocol; TLS1.2 is impervious to the attack. Few browsers support TLS1.2 by default, so few websites have switched to the protocol - a vicious circle! However, there is one browser that does support TLS 1.2 by design:
"While both Mozilla and the volunteers maintaining OpenSSL have yet to implement TLS 1.2 at all, Microsoft has performed only slightly better. Secure TLS versions are available in its Internet Explorer browser and IIS webserver, but not by default. Opera remains the only browser that deploys TLS 1.2 by default."
Whilst switching to Opera makes no difference to users' security if the majority of websites eschew the latest security protocols, this story does show that the Opera developers design-in the latest security and that is another good reason to switch.
Sources & References:
- Schneier On Security: Safe Personal Computing - originally published in CNet 09/12/2004.
- The Register: Hackers break SSL encryption used by millions of sites