Another SSL security hole has popped up, and its name is FREAK - Polidicks

[url]http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/[/url] [quote=ZDNet]It seemed like such a good idea in the early 90s. Secure-Socket Layer (SSL) encryption was brand new and the National Security Agency (NSA) wanted to make sure that they could read "secured" Web traffic by foreign nationals. So, the NSA got Netscape to agree to deploy 40-bit cryptography in its International Edition while saving the more secure 128-bit version for the US version. By 2000, the rules changed and any browser could use higher security SSL. But that old insecure code was still being used and, fifteen years later, it's come back to bite us. The Washington Post reported today that cryptographers from IMDEA, a European Union research group; INRIA, a French research company; and Microsoft Research have found out that "They could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Websites themselves by taking over elements on a page, such as a Facebook 'Like' button." Great.[/quote]

Shocker.. Though really why even keep on doing this rate of survalence at all, if hackers can crack it in a few hours, while putting my data at risk.. I might as well have never installed an anti-virus if this stuff can happen while stuff like this can go right under my nose.

Time to abandon the SSL standard it seems. By now you'd think most sites would provide an option to support RSA.

I don't get why they announce exploits and such BEFORE the issue is fixed. You're literally yelling "yo hackers come steal a buncha shit before they fix it"

[QUOTE=TheDrunkenOne;47252492]I don't get why they announce exploits and such BEFORE the issue is fixed. You're literally yelling "yo hackers come steal a buncha shit before they fix it"[/QUOTE] Forces people fix their shit quicker I guess.

[QUOTE=TheDrunkenOne;47252492]I don't get why they announce exploits and such BEFORE the issue is fixed. You're literally yelling "yo hackers come steal a buncha shit before they fix it"[/QUOTE] "One day only sale on all SSL merchandise! 100% off! Get it before it's gone!"

[QUOTE=TheDrunkenOne;47252492]I don't get why they announce exploits and such BEFORE the issue is fixed. You're literally yelling "yo hackers come steal a buncha shit before they fix it"[/QUOTE] It's already fixed. They usually are once announced. Quote from the article for a person who cannot read... [QUOTE]The OpenSSL problem, CVE-2015-0204, has already been patched in the latest OpenSSL release. 1.02. If you haven't patched OpenSSL lately, do it. Do it now. Check with your operating system distributor or compile the code yourself.[/QUOTE] [QUOTE=Adlertag1940;47252420]Time to abandon the SSL standard it seems. By now you'd think most sites would provide an option to support RSA.[/QUOTE] RSA is the problem (or is part of). [QUOTE]And, now, it has been. It's just that it's now open to being broken by anyone with basic code-breaking smarts and easily available computer resources. The key problem is that OpenSSL and Safari both contain bugs that cause them to accept "[B]RSA export-grade keys[/B] even when the client didn't ask for export-grade RSA."[/QUOTE] [URL]https://blogs.akamai.com/2015/03/cve-2015-0204-getting-out-of-the-export-business.html[/URL] I love all these people making recommendations that they know NOTHING about it. And also didn't bother to read the article.

You people lack a serious understanding about this issue. This doesn't let you hack websites or get products for free. It lets you read the contents of messages between servers and clients -- which is very bad for, say, banking websites or online purchases. But that's only if you can get the messages themselves.

[QUOTE=geel9;47252610]You people lack a serious understanding about this issue. This doesn't let you hack websites or get products for free. It lets you read the contents of messages between servers and clients -- which is very bad for, say, banking websites or online purchases. But that's only if you can get the messages themselves.[/QUOTE] And that doesn't mean we should abandon SSL. Oh man if we abandoned every technology with bugs we'd be back in the stone age

[QUOTE=Asgard;47252742]And that doesn't mean we should abandon SSL. Oh man if we abandoned every technology with bugs we'd be back in the stone age[/QUOTE] y2k15?

[QUOTE=TheDrunkenOne;47252492]I don't get why they announce exploits and such BEFORE the issue is fixed. You're literally yelling "yo hackers come steal a buncha shit before they fix it"[/QUOTE] Because with almost certainty the high profile hackers already know, and making it public is the only way that will force the people responsible to actually go ahead and fix it.

[QUOTE=TheDrunkenOne;47252492]I don't get why they announce exploits and such BEFORE the issue is fixed. You're literally yelling "yo hackers come steal a buncha shit before they fix it"[/QUOTE] Cause literally they could already know and be using this, and it isn't fair to the people who get shafted for that even if they would have taken their systems offline.

[QUOTE=Asgard;47252742]And that doesn't mean we should abandon SSL. Oh man if we abandoned every technology with bugs we'd be back in the stone age[/QUOTE] We've already abandoned SSL, it was replaced with TLS years ago, and the recent attacks have finally made it switched off by default. RC4's gone too.

[QUOTE=Asgard;47252742]And that doesn't mean we should abandon SSL. Oh man if we abandoned every technology with bugs we'd be back in the stone age[/QUOTE] To be fair OpenSSL should be abandoned, its badly written and a better implementation is possible. LibreSSL seems to be showing this. Most of the bugs in it have been in the implementation.

TLS (And SSL that pre-dated it) have their flaws, but 99% of the problems are in implementations, like why on earth does OpenSSL still want to talk export ciphers (They haven't been a thing for 15 years at this point) I actually found out a few days ago that the 3DS web browser actually has them enabled by default for some stupid reason. And TLS is well enough designed that the protocol flaws can be fixed, like leaking the client time, having a plain text handshake, or getting the order of encryption and MAC wrong.