By: Bill Mathews
In response to: Hackers break SSL encryption used by millions of sites

Alright, if I need to explain what SSL is to you then please go ahead and take a look at http://hlurl.com/8hm for a quick explanation, go ahead, I’ll wait. Back now? Awesome, let’s get on with it. Basically the current version of SSL (well the current version nearly everyone has implemented and supports) is broken, probably hopelessly at this point. Then comes this, which is basically the first attack to actually decrypt SSL. I’ve written on various attacks before, (like http://hlurl.com/8ho) and I’ve written on poorly implementing SSL, but this “feels” different. It’s an attack that allegedly decrypts SSL, are you listening? Allegedly decrypts it!

Everyone who knows me knows I’m not really an alarmist and don’t get freaked out easily but if this is accurate (and right now it’s a big if in my mind) it is pretty scary. The saddest part is there are fixes, updated versions of SSL and TLS have been available for years but hey they’re working so why update them right? Well ladies and gentlemen if this so-called BEAST (Browser Exploit Against SSL/TLS) is as truly ferocious as its authors say then it might just be time for a change. There are some alternatives to SSL out there, like Convergence but I fear that is years away from becoming viable, if ever.

As always I’ll try to keep this blog up to date with info about this as it becomes available, it’s still very new and the tool (BEAST) hasn’t been released yet. It’s allegedly a beefy piece of Javascript, so I’ll attempt to dissect it here if I get my grubby little hands on it. More to come, film at 11 and all of that.