| By Susan Bradley |
Hard on the heels of the counterfeit SSL certificates scandal comes a new SSL security threat.
The recent ekoparty Security Conference in Argentina broke the news that encrypted SSL/TLS traffic is vulnerable to attack. But should we rush to install the workarounds?
Are the SSL protocols truly broken? Again?
Microsoft Security advisory KB 2588513, issued September 26, revealed that hackers can decrypt encrypted SSL traffic. But before you yank that Internet connection out of the wall, never to go online again, consider that mitigating factors make a successful attack of this kind extremely difficult to accomplish.
As detailed in Microsoft’s Security Research & Defense blog, a man-in-the-middle attacker must first place himself between you and the server with which you’re communicating — and then must be there exactly at the right time to sniff your traffic.
That said, if you’re still feeling queasy about this new danger, you have two ways to protect yourself. First, formally sign in and sign out of secured sites: don’t just close the browser when you’ve finished your session. Second, you can enable the support of TLS 1.1 and disable TLS 1.0 in Windows 7’s Internet Options (as shown in Figure 1) by using the Fixits in KB 2588513.
But watch out for websites that don’t support this setting — many don’t. If you try to go to the SSL page for any such website, the SSL website fails to load properly. And there’s bad news for XP: it doesn’t support these higher levels of SSL security (see Figure 2). You are likely to be advised to browse on a Windows 7 machine. At a recent HTCIA conference, several folks from the SANS organization stated that using IE 6 and 7 on XP machines puts you at risk.