Can you trust the SSL protocols anymore?

Susan bradley By Susan Bradley

Hard on the heels of the counterfeit SSL certificates scandal comes a new SSL security threat.

The recent ekoparty Security Conference in Argentina broke the news that encrypted SSL/TLS traffic is vulnerable to attack. But should we rush to install the workarounds?

Are the SSL protocols truly broken? Again?

Microsoft Security advisory KB 2588513, issued September 26, revealed that hackers can decrypt encrypted SSL traffic. But before you yank that Internet connection out of the wall, never to go online again, consider that mitigating factors make a successful attack of this kind extremely difficult to accomplish.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

As detailed in Microsoft’s Security Research & Defense blog, a man-in-the-middle attacker must first place himself between you and the server with which you’re communicating — and then must be there exactly at the right time to sniff your traffic.

That said, if you’re still feeling queasy about this new danger, you have two ways to protect yourself. First, formally sign in and sign out of secured sites: don’t just close the browser when you’ve finished your session. Second, you can enable the support of TLS 1.1 and disable TLS 1.0 in Windows 7’s Internet Options (as shown in Figure 1) by using the Fixits in KB 2588513.

But watch out for websites that don’t support this setting — many don’t. If you try to go to the SSL page for any such website, the SSL website fails to load properly. And there’s bad news for XP: it doesn’t support these higher levels of SSL security (see Figure 2). You are likely to be advised to browse on a Windows 7 machine. At a recent HTCIA conference, several folks from the SANS organization stated that using IE 6 and 7 on XP machines puts you at risk.

Figure 1. Windows 7 can support higher TLS versions, circled in yellow.

Figure 2. Windows XP supports only TLS 1.0, circled in yellow.

So am I telling you to stop using XP? No, not at all. As in the case of the fake SSL certs, most Windows Secrets readers are not targets of difficult, high-cost attacks that might come as a result of news released at a security conference. And does this new threat mean that I’m going to recommend that you dump IE and use only Chrome or Firefox on your Windows XP? Not so fast on that plan, either: at this time, neither Chrome nor Firefox supports TLS 1.1 or 1.2, as noted in the Register article and in a Wikipedia article about browsers that support TLS 1.1 or 1.2. For Chrome users, the good news is that a protective patch is in the developer build, and I expect Google to roll it out as soon as possible.

What to do: At this time, I’m not ready to tell you to jump on the Fixits — other than to test them on a spare Windows 7 computer to see how websites interact. We need to identify which sites are holding us all back from making TLS 1.1 or 1.2 the default. Watch for updates from Chrome for XP workstations. Do try to stay off untrusted wireless connections as much as possible. Stay tuned: for now, test only.

Malicious Software Removal Tool serves up clues

Every month, Microsoft offers the Windows Malicious Software Removal Tool to workstations. Every month, I recommend that you install it. When the tool doesn’t find anything, that’s a good thing — you’re not infected! When it does, it’s designed to get the major malicious threats off your system.

General use of the tool has another benefit: it allows us glimpses of the safe computing practices of areas of the world that get it right. In a six-part series of blog posts, Tim Rains, Director of Product Management in Microsoft’s Trustworthy Computing group, offers insights into why some countries do well in the fight against malware and some don’t. Part 1 identifies Austria, Finland, Germany, and Japan as having the fewest infections. Researchers suggest that Austria has few infections partly because of strong ISPs that crack down on users who host malicious activity. Finland sees legislation and regulation as being key factors in its low infection rates. Germany cites sharing of information among its regulatory agencies, the media, and consumers. Japan credits consumer education and the dissemination of extermination tools by ISPs.

What to do: Install the tool when it’s offered. In addition to protecting your workstation, the Malicious Software Removal Tool assists Microsoft in getting macro views of the state of cyber security. No identifiable information about you is released, but we can all benefit from the broad lessons in the findings. According to Tim’s final post, using the tool is part of the big picture of awareness and education.

Flash Player gets a zero-day update

We’re installing updates to Flash again because of a zero-day vulnerability that showed up in actual attacks. Adobe posted Security bulletin 11-26 and released an out-of-cycle update to protect users from this exploit. All browsers from Chrome to Firefox now have updates for their plugins as well.

Make sure you have updated your Adobe Flash Player for Windows, Macintosh, Linux, and Solaris to Adobe Flash Player Users of Adobe Flash Player for Android should be on version Check your Android phones and tablets because these devices specifically support Flash.

What to do: Make certain that you are current with the most recent Flash updates, but do not install any of the offered toolbars.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table.

August .NET updates; see MS11-066 for complete patch list
.NET 4 Reliability Update 1
August .NET updates; see MS11-069 for complete patch list
Office File Validation update
Windows Application Compatibility List update
Office 2003 update (nonsecurity)
Office 2010 SP1
Fixes TLS/SSL handshake with Internet Explorer and Win XP or Vista
Resolves font-display issues in IE 9 with Vista and Win7
Resolves long-URL issues in IE and Windows 7
Resolves time-out issues in Windows 7
Cumulative update for SQL Server 2008 R2
Advanced Format disk-configuration update
Daylight-saving update: time zone–specific, Outlook issues
More .dll-preloading updates
Multiple Excel updates; see MS11-072 for all related updates
Fix for malicious Office files
DigiNotar certificate revocation

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2011-09-29:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.