Nick Tippmann
With Android applications like DroidSheep which acts like a sniffer that gains the cookie from non-SSL sites so users can gain access into those accounts(Facebook) under those users, that application and others are about to be broken wide open. Websites such as those who process online payments, Emails(Google) and Facebook(if you can ever find where its at all) use SSL to protect users from having their info taken from others. However that could/is about to change.
Researches have found protocol that allows attackers to silently decrypt data that’s passing between a webserver and the browser. The exploit used BEAST to do its work. It works by doing two attacks, one contains code that must be loaded into the victim’s web browser and the second one captures and decrypts HTTPS session cookies which can be done in just five minutes.
Juliano Rizzo and Thai Duong say the vulnerability compromises TLS (Transport Layer Security) 1.0, the encryption mechanism that secures Web sites accessed using HTTPS (Secure Hypertext Transfer Protocol). TLS is the successor to SSL (Secure Sockets Layer) and is widely used at financial sites.
When Paypal was asked about this by PC Mag their PR stated,
We have got a team of security people and it is always working on updates and upgrades and they are looking into this already
No word yet on if this exploit has been released to the public some how, however the ability to attack SSL encrypted websites is a major security threat.
Source: The Hackers News
