 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
2 edits | reply to Mele20
Re: Google disables SSL compression in Chrome against new attack |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to FF4m3
said by FF4m3 :said by Mele20:Google wants Proxo dead. No they don't. Google could care less about Proxo. Google doesn't want Proxo dead? Then explain to me why they stopped allowing Proxo to fake a Google cookie? Google has become more hostile toward Proxo in the last few years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
said by Name Game:Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..
You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053
Proxo should work on Windows 8. As long as the web is based on HTTP protocol Proxo should work. Some sites may have problems when filtered by Proxo but that has always been the case and SPDY could pose some problems. When Sidki left public Proxo development after his 10/2010 filters gift to us users, he gave his notes, etc. to JJoe and JJoe gave us a filter set updating Sidki's last set in 12/11. I still use Sidki's 10/2010 filters on my host machine and JJoe's on virtual machines.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to Mele20
You are so funny..then stop using google and stop ranting about it. |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| reply to Mele20
said by Mele20:(God forbid that any of us be able to block Google ads).
I use the AdBlock Plus extension in FF and don't see Google or any other ads. But use whatever does, or doesn't, work for you.
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| reply to Name Game
Quite a good link. However it is interesting in this quote:
quote:
The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.
Well, what can you say. It is all too similar to a lot of Internet browsing.
You have to allow for it to be a reply to a request. What we need to do is create an environment whereby that initial handshake doesn't allow all, doesn't allow by default, looks for certain strings....guess to some extent that may happen already and you to become pwoned....
So to start with not allowing anything but still recognize the link it needs....love to be able to have that signed in my name. 
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to Name Game
said by Name Game:TLS 1.1 .... .... should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers
That comment seems to have merit. Turning it on has evolved my browsing experience. |
|
 caffeinatorComing soon to a cup near you..Premium
join:2005-01-16
WA, USA
kudos:4
·CenturyLink
| reply to Name Game
said by Name Game:If you use Opera..even many month ago..
SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers
Hmm...
I'm still using Opera 11.64 on this box. Even so, when checking under security protocols, there is no SSL v2 listed at all. Only SSL v3 and the TLS variants.
Those are the default settings, I haven't had a need to change them.
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
| reply to MagnusM
The perfect CRIME? New HTTPS web hijack attack explained:
The so-called CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the cookie has been obtained, it can be used by hackers to login to the victim's account on the site.
The cookie is deduced by tricking the browser into sending compressed encrypted requests for files to a HTTPS website and exploiting information inadvertently leaked in the process. During the attack, the encrypted requests - each of which contains the cookie - are continually modified by malicious JavaScript code, and the changing size of the compressed message is used to determine the cookie's contents character by character.
Punters using web browsers that implement either TLS or SPDY compression are potentially at risk - but the vulnerability only comes into play if the victim visits a website that accepts the affected protocols. Support is widespread but far from ubiquitous.
The researchers worked with Mozilla and Google to ensure that both Firefox and Chrome are protected. Microsoft's Internet Explorer is not vulnerable to the attack, and only beta versions of Opera support SPDY. Smartphone browsers and other applications that rely on TLS may be vulnerable, according to Ars Technica.
"Basically, the attacker is running a script on Evil.com," Rizzo explained to Kaspersky Labs' Threatpost. "He forces the browser to open requests to Bank.com by, for example, adding tags with the src pointing to Bank.com. Each of those requests contains data from mixed sources."
Each encrypted request includes an image file name - a constantly changing detail that is generated by the malicious script; the browser's identification headers, which don't change; and the login cookie, the target of the attack. When the file name matches part of the login cookie, the size of the message drops because the compression algorithm removes this redundancy.
"The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the [file name] path, he could attempt to minimise the request size, ie: when the file name matches the cookie."
This brute-force attack has been demonstrated against several sites including Dropbox, Github and Stripe. Affected organisations were notified by the pair, and the websites have reportedly suspended support for the leaky encryption compression protocols. Ivan Ristic, director of engineering at Qualys, estimates 42 percent of sites support TLS compression.
The researchers will present their work at the Ekoparty security conference in Buenos Aires, Argentina next week. In the meantime, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, has a detailed take on the attack here. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to caffeinator
SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.
I don't know what Name Game  is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.
So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | You are still funny and if you used opera..you would have done that last year to mitigate the BEAST..I posted that info in many forums myself and you can see it done here
»answers.yahoo.com/question/index···5AAjCZy5
»www.phonefactor.com/resources/Ci···east.pdf
And that is also why I think your panic over Crime..which still not even presented yet... is mostly FUD..Beast was even a bigger problem and caught many with their pants down. Opera is not a guinea pig..it is a browser that has been out there since 1996 and never is really ready for prime time in all of it's development cycle and new versions.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
evoxllx
join:2007-06-07
Winter Park, FL
2 edits | reply to Mele20
said by Mele20:SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.
I don't know what Name Game is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.
So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.
The percentage of sites that don't support it is irrelevant when the sites that DO support it are some of the most sought after when it comes to these types of attacks, not to mention some of the largest sites/services on the internet.
Google, Facebook, PayPal, CloudFlare, etc.
The reason it's so slow to rollout is mostly due to buggy network devices and servers.
That being said, Opera lacks many things that I think are more important, such as HSTS and ECDHE support. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Exactly...So I would suggest to everyone who thinks the developer of their chosen browser is not on top of this issue of CRIME or any other vulnerability ...to hold off and see what they do..but if you are so paranoid and think the developer is behind the power curve..then start disabling "whatever"..at least you will learn more about your internet ride than you did last week... or change your browser.... I'll let Chrome change my oil and filter. |
|
| reply to MagnusM
Here is a video that shows the CRIME exploit in action:
»www.youtube.com/watch?v=gGPhHYyg9r4
--
Mischel Internet Security - Developer of TrojanHunter |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Thanks here is another one.
»Re: Google disables SSL compression in Chrome against new attack |
|
| reply to MagnusM
Seems you were quicker than me on that one  |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | I like your's better since it displays in the thread. |
|
 DownTheShoreThanks To All The Shore VolunteersPremium
join:2003-12-02
Beautiful NJ
kudos:12 | reply to FF4m3
said by FF4m3 :Set as above.
Thanks! |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
Sigh. Why are you on such a tear?
The screenshot is from my favorite version of Opera, 10 Preview which I downloaded in Aug 2009. It has no Unite. TLS 1.1 is checked. I've had it checked ever since it first appeared in an Opera version long before Beast attack last year.
You'll note from the screenshot that as far back as August 2009, Opera did not have SSL 2. I caught you out on that so I guess you are trying to get folks to forget that by going on about my being "funny". I believe the description fits you better.
"Panic over Crime"? Where in the world did you get that idea? I am concerned about SPDY because of the possible implications for Proxo and the fact that on Sea Monkey the Fx extension won't install so I can't monitor SPDY usage. My other browsers don't use SPDY. How does this translate to "panic over crime'? Geez...you need to stop posting so much as you appear to be getting things all mixed up. 
Stop putting words in my mouth. I never said Opera was a guinea pig. Go back and read what I said. I asked if Opera should be expected to START ACTING LIKE A GUINEA PIG by DEFAULTING to TLS 1.2. I pointed out the EXCELLENT reasons a highly respected security developer gave for why Opera defaults to TLS 1.0. YOU want Opera to be a guinea pig because you fault it for not defaulting to TLS 1.2. I do NOT want Opera to be a guinea pig and it is NOT one.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
| reply to Name Game
Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:
quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.
In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.
--
Reality corrupted. Reboot universe? (Y/N) |
|
