Facebook Hacking | Hacking Tools | Facebook Hacking Tool | Twitter Hacking | Crash Website | Hack Gmail Account
Home / Website hacking / 90% SSL websites are vulnerable to the BEAST SSL attack

90% SSL websites are vulnerable to the BEAST SSL attack

Posted by Deepanker Verma Saturday, April 28, 2012 0 comments

According to the latest cyber report by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems, 90% of the websites running on HTTPS enabled secure protocol are vulnerable to the SSL attack, BEAST.


This report is based on the data provided by SSL Pulse project. This project scanned top 1 million websites with the automated scanning technology developed by security vendor Qualys and then generated a report on strength of HTTPS implementations. It checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).


90% od the websites scanned are vulnerable to the known type of attack BEAST. This SSL attack takes advantage of a flaw in SSL 3.0, allowing the attacker to grab and decrypt HTTPS cookies on an end user’s browser, effectively hijacking the victim’s session. This could be achieved either through an iframe injection or by loading the BEAST JavaScript into the victim’s browser, but BEAST is known to be especially hard to execute.


Trustworthy Internet Movement has also created a taskforce which includes various security experts who will review SSL governance issues and develop proposals aimed at fixing both SSL and the certificate authority systems. The taskforce members include Michael Barrett, chief information security officer at PayPal; Taher Elgamal, one of the creators of the SSL protocol; Adam Langley, a Google software engineer responsible for SSL in Chrome and on the company's front-end servers; Moxie Marlinspike, the creator of the Convergence project, which offers an alternative method for SSL certificate validation; Ivan Ristic, the creator of the Qualys SSL Labs and Ryan Hurst, chief technology officer at certificate authority GlobalSign.


SOURCE
Categories: ,

If You Like This Post, Share it With Your Friends


Subscribe us to receive free updates in your inbox:


0 comments:

Post a Comment

Featured FREE Resource:
X




Security Tools

Loading...
Share
Get This

About Me

My Photo
Deepanker Verma
I am Deepanker Verma. A computer geek, Security researcher blogger and software developer. I have deep interest and Information security and web development and try to learn new things. you will see my blogs on hackingtricks, TechlomediaWebtips and Usethistip.

I was also honoured by Apple, Ebay, Symantec, PandaSecurity and various other computer software giants for my security work for their company. I also contribute on some opensource projects regularly.

I also own a web app called NoteDIP that allows users to send self-destructive messages with password protection.

You can add me to circles to get my daily tips :)

View my complete profile

Partners

Blog Archive

Copyright © Hacking Tricks. All rights reserved. Blogger template designed by BLog Bamz