Topic 'Google disables SSL compression in Chrome against new attack' in forum 'Security' - dslreports.com

Re: Google disables SSL compression in Chrome against new attack

Mon, 17 Sep 2012 01:16:01 EDT

Name Game posted : This should be a good tweet to follow to it's final resolution.

Why firefox could not load the css correctly whereas chrome does?
Is there something wrong with the site? Chrome won't let me visit it.
We're investigating Google Chrome and some other services flagging our CDN as suspicious.
FireFox is blocking our CSS on the back end because of the same warning Chrome is displaying.

»twitter.com/VergeSupport

»www.theverge.com/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Sat, 15 Sep 2012 20:58:09 EDT

Name Game posted : Well I think I am correct in assuming that the highest level of OS you run is XP and maybe still only SP2 and that really limits one to browser choices and even how those choices really run in XP compared how they run on newer OS's offered by Microsoft. Yes many of those other browsers will run on XP and they are advertised that way..but I think in reality they might not be that safe just because of the XP architect.
I have the same problem with so many of my friends and family that I help..but at least they have the latest SP's for XP and then all the other updates to make it as secure as possible.

They are not rocket scientist..and just want two things..to enjoy the internet and all it's features on the sites they frequent..and not to get infected. They don't have time to run and install other plugins or proggies to keep them safe and would not even understand why they need them..so options are limited.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Sat, 15 Sep 2012 20:23:10 EDT

Mele20 posted : I already have older versions of SeaMonkey. I have several versions of every browser.

As for Opera, yes, Opera made a bad decision to try and keep up with other browser makers insane schedule. Since 11.0 Opera has been producing seriously buggy final versions which was never the case before 11.0. But Opera, I suppose, has felt the need to do this. They, like Mozilla, are scared of the crappy Chrome browser. And they have to worry about the vast majority of computer users who like Chrome for the very reasons that most (not you though) knowledge computer users dislike it, and avoid it, or at least use Iron.

The ignorance of the masses has, as usual, forced terrible problems for those who bother to educate themselves. A less rapid release schedule is far superior to the garbage we get now with all the browsers in this insane race to be faster in the release schedule out of the real fear that the ignorant of computer users will believe that only the fastest to release new versions browser is a good one. That, of course, is absurdly ridiculous, and a lie, but it is easy to fool those who refuse to take any responsibility to educate themselves about computers but still insist on using them!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Sat, 15 Sep 2012 13:02:45 EDT

Name Game posted : Some people are still using older versions of Opera just like you are still using Firefox versions 4.0.1 28.
You also have the new Sea Monkey 2.12.1 which became available 10 September, 2012 :D which now has Spdy.
so get an older version
»dev.oldapps.com/seamonkey.php?ol···key=8200

This SPDY thing you are on about trying to destroy Proxo is still funny and the only guinea pigs (no caps needed) :D I know with Opera are the users who try to get their final releases to work over the years. That's why many stick with older versions. Sound familiar ?
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Sat, 15 Sep 2012 07:18:18 EDT

KodiacZiller posted :

said by MeDuZa:

said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:

quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

ECC needs to become the standard already. It is much more efficient than RSA (it uses much smaller keys, but they are equally secure at a smaller size). Instead of a 2048 bit RSA key, you can get equivalent strength from a 224 bit ECC key, which makes it much faster and efficient.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999

Re: Google disables SSL compression in Chrome against new attack

Sat, 15 Sep 2012 07:08:56 EDT

MeDuZa posted :

said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:

quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

--
Reality corrupted. Reboot universe? (Y/N)

Re: Google disables SSL compression in Chrome against new attack

Sat, 15 Sep 2012 03:25:16 EDT

Mele20 posted : Sigh. Why are you on such a tear?

The screenshot is from my favorite version of Opera, 10 Preview which I downloaded in Aug 2009. It has no Unite. TLS 1.1 is checked. I've had it checked ever since it first appeared in an Opera version long before Beast attack last year.

You'll note from the screenshot that as far back as August 2009, Opera did not have SSL 2. I caught you out on that so I guess you are trying to get folks to forget that by going on about my being "funny". I believe the description fits you better.

"Panic over Crime"? Where in the world did you get that idea? I am concerned about SPDY because of the possible implications for Proxo and the fact that on Sea Monkey the Fx extension won't install so I can't monitor SPDY usage. My other browsers don't use SPDY. How does this translate to "panic over crime'? Geez...you need to stop posting so much as you appear to be getting things all mixed up. :(

Stop putting words in my mouth. I never said Opera was a guinea pig. Go back and read what I said. I asked if Opera should be expected to START ACTING LIKE A GUINEA PIG by DEFAULTING to TLS 1.2. I pointed out the EXCELLENT reasons a highly respected security developer gave for why Opera defaults to TLS 1.0. YOU want Opera to be a guinea pig because you fault it for not defaulting to TLS 1.2. I do NOT want Opera to be a guinea pig and it is NOT one.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 23:48:00 EDT

DownTheShore posted :

said by FF4m3 :

Set as above.

Thanks! :)

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 22:37:05 EDT

Name Game posted : I like your's better since it displays in the thread.

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 22:34:28 EDT

MagnusM posted : Seems you were quicker than me on that one :D

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 22:28:22 EDT

Name Game posted : Thanks here is another one.
»Re: Google disables SSL compression in Chrome against new attack

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 22:19:55 EDT

MagnusM posted : Here is a video that shows the CRIME exploit in action:

»www.youtube.com/watch?v=gGPhHYyg9r4
--
Mischel Internet Security - Developer of TrojanHunter

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 20:45:25 EDT

Name Game posted : Exactly...So I would suggest to everyone who thinks the developer of their chosen browser is not on top of this issue of CRIME or any other vulnerability ...to hold off and see what they do..but if you are so paranoid and think the developer is behind the power curve..then start disabling "whatever"..at least you will learn more about your internet ride than you did last week... or change your browser.... I'll let Chrome change my oil and filter. :)

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 20:35:19 EDT

evoxllx posted :

said by Mele20:

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.

The percentage of sites that don't support it is irrelevant when the sites that DO support it are some of the most sought after when it comes to these types of attacks, not to mention some of the largest sites/services on the internet.

Google, Facebook, PayPal, CloudFlare, etc.

The reason it's so slow to rollout is mostly due to buggy network devices and servers.

That being said, Opera lacks many things that I think are more important, such as HSTS and ECDHE support.

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 20:19:57 EDT

Name Game posted : You are still funny and if you used opera..you would have done that last year to mitigate the BEAST..I posted that info in many forums myself and you can see it done here

»answers.yahoo.com/question/index···5AAjCZy5

»www.phonefactor.com/resources/Ci···east.pdf

And that is also why I think your panic over Crime..which still not even presented yet... is mostly FUD..Beast was even a bigger problem and caught many with their pants down. Opera is not a guinea pig..it is a browser that has been out there since 1996 and never is really ready for prime time in all of it's development cycle and new versions.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 19:50:05 EDT

Mele20 posted : SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 13:24:21 EDT

anon posted : The perfect CRIME? New HTTPS web hijack attack explained:

The so-called CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the cookie has been obtained, it can be used by hackers to login to the victim's account on the site.

The cookie is deduced by tricking the browser into sending compressed encrypted requests for files to a HTTPS website and exploiting information inadvertently leaked in the process. During the attack, the encrypted requests - each of which contains the cookie - are continually modified by malicious JavaScript code, and the changing size of the compressed message is used to determine the cookie's contents character by character.

Punters using web browsers that implement either TLS or SPDY compression are potentially at risk - but the vulnerability only comes into play if the victim visits a website that accepts the affected protocols. Support is widespread but far from ubiquitous.

The researchers worked with Mozilla and Google to ensure that both Firefox and Chrome are protected. Microsoft's Internet Explorer is not vulnerable to the attack, and only beta versions of Opera support SPDY. Smartphone browsers and other applications that rely on TLS may be vulnerable, according to Ars Technica.

"Basically, the attacker is running a script on Evil.com," Rizzo explained to Kaspersky Labs' Threatpost. "He forces the browser to open requests to Bank.com by, for example, adding tags with the src pointing to Bank.com. Each of those requests contains data from mixed sources."

Each encrypted request includes an image file name - a constantly changing detail that is generated by the malicious script; the browser's identification headers, which don't change; and the login cookie, the target of the attack. When the file name matches part of the login cookie, the size of the message drops because the compression algorithm removes this redundancy.

"The problem is that compression combines all those sources together," Rizzo added. "The attacker can sniff the packets and get the size of the requests that are sent. By changing the [file name] path, he could attempt to minimise the request size, ie: when the file name matches the cookie."

This brute-force attack has been demonstrated against several sites including Dropbox, Github and Stripe. Affected organisations were notified by the pair, and the websites have reportedly suspended support for the leaky encryption compression protocols. Ivan Ristic, director of engineering at Qualys, estimates 42 percent of sites support TLS compression.

The researchers will present their work at the Ekoparty security conference in Buenos Aires, Argentina next week. In the meantime, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, has a detailed take on the attack here.

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 12:35:33 EDT

caffeinator posted :

said by Name Game:

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

Hmm...

I'm still using Opera 11.64 on this box. Even so, when checking under security protocols, there is no SSL v2 listed at all. Only SSL v3 and the TLS variants.

[att=1]
Those are the default settings, I haven't had a need to change them.

--

My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 11:47:27 EDT

norwegian posted :

said by Name Game:

TLS 1.1 .... .... should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

That comment seems to have merit. Turning it on has evolved my browsing experience.

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 11:39:46 EDT

norwegian posted :

said by Name Game:

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/forums/to···=1262702

Quite a good link. However it is interesting in this quote:

quote:
The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.

Well, what can you say. It is all too similar to a lot of Internet browsing.

You have to allow for it to be a reply to a request. What we need to do is create an environment whereby that initial handshake doesn't allow all, doesn't allow by default, looks for certain strings....guess to some extent that may happen already and you to become pwoned....

So to start with not allowing anything but still recognize the link it needs....love to be able to have that signed in my name. :)
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 08:22:42 EDT

StuartMW posted :

said by Mele20:

(God forbid that any of us be able to block Google ads).

I use the AdBlock Plus extension in FF and don't see Google or any other ads. But use whatever does, or doesn't, work for you.
--
Don't feed trolls--it only makes them grow!

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 08:02:02 EDT

Name Game posted : You are so funny..then stop using google and stop ranting about it.

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 07:16:28 EDT

Mele20 posted :

said by Name Game:

Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053

Proxo should work on Windows 8. As long as the web is based on HTTP protocol Proxo should work. Some sites may have problems when filtered by Proxo but that has always been the case and SPDY could pose some problems. When Sidki left public Proxo development after his 10/2010 filters gift to us users, he gave his notes, etc. to JJoe and JJoe gave us a filter set updating Sidki's last set in 12/11. I still use Sidki's 10/2010 filters on my host machine and JJoe's on virtual machines.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 02:10:15 EDT

Mele20 posted :

said by FF4m3 :

said by Mele20:

Google wants Proxo dead.

No they don't. Google could care less about Proxo.

Google doesn't want Proxo dead? Then explain to me why they stopped allowing Proxo to fake a Google cookie? Google has become more hostile toward Proxo in the last few years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 00:46:21 EDT

Name Game posted : Are you Desiree ??? ;)
»groups.google.com/forum/?fromgro···fZTLW9Ak

»github.com/chengsun/moz-spdy-ind···issues/2

»support.google.com/chrome/bin/an···ndicator

Re: Google disables SSL compression in Chrome against new attack

Fri, 14 Sep 2012 00:16:28 EDT

redwolfe_98 posted :

said by Mele20:

It puzzles me why there is a push for secure browsing

it concerns me because i don't like the idea that data that is transferred via a secure connection bypasses my av program's "webguard"..

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 23:42:43 EDT

Mele20 posted :

said by Name Game:

SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/webstore/detai···ggcjblin
These are the sites that happen to use it today

As of March 2012, there are not many SPDY-enabled websites.

For Firefox one can do this..but there is no reason to..be more concerned about TLS.

»bugzilla.mozilla.org/show_bug.cgi?id=763163

I only have SPDY on SeaMonkey and earlier today I disabled it in about:config. That was after I tried to install the SPDY indicator 2.1 and it won't install on SM.
»addons.mozilla.org/en-US/firefox···/?src=ss

So, I disabled SPDY as I would want to know when it is being used. Then I went to SM support newsgroup and asked about the extension and if/when it will be available for Sea Monkey or if there is a trick to get it working now on SM. I got one reponse so far and it was "Huh"? Someone who didn't know about SPDY like I didn't until this thread.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 23:27:59 EDT

Name Game posted :

said by FF4m3 :

said by Mele20:

I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly

From SPDY: An experimental protocol for a faster web I learned that SPDY has a goal to reduce the bandwidth currently used by HTTP by compressing headers, an admirable objective.

However, SPDY compresses request and response HTTP headers. Not so good for Proxo's digestive process. Hence my disabling of SPDY capabilities in Firefox.

And even though the SPDY is spoken "speedy" :D It might not really be that fast today...

Performance

An independent study shows that, in testing, the page load time with SPDY is not significantly different on most websites from HTTP or HTTPS,[41] because old optimization techniques such as splitting the content between many hosts prevent pipelining from taking place.

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 23:21:40 EDT

Name Game posted : Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

We have a lot of experts guessing at what Crime might be able to do and how..so we shall see... I do remember in Beast there was a lot of speculation...

Because of Beast this happened..

»blog.torproject.org/blog/tor-and···l-attack

Then users were clamouring for TLS 1.1 or 1.2 support in firefox
»support.mozilla.org/en-US/questions/781028
Finally someone from Hawaii posted and
You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 23:18:48 EDT

anon posted :

said by Mele20:

Google wants Proxo dead.

No they don't. Google could care less about Proxo.

I don't rely only on Proxo to block Google ads. It's easy to completely block Google's ad servers via host file entries and Avast's internal site blocking capabilities.

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 23:18:06 EDT

anon posted :

said by Mele20:

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 23:04:06 EDT

Mele20 posted : Yes, it started out being about Crime and TLS but it quickly got into SPDY. If SPDY should not be in this thread then please "hey mod" the thread and ask that all the posts on SPDY be moved to a new thread that is open for posts as I, and I think some others, would like to pursue not only the relationship of SPDY and Crime but SPDY more generally.

I'm sure I don't know a lot about SPDY as it is new to me but it is inaccurate for you to claim I know nothing and sounds just like a spiteful remark because you don't like the turn this thread has taken. :(

Yeah, I was about to go to prxbx and see if there was anything there regarding SPDY. I am not too surprised at that thread. It is very early to be concerned and we don't have Sidki now...stlll...the reply was lacking but that doesn't mean that when push comes to shove that Proxo lovers will not be able to meet the challenge. But the time will come, some day, when, because we don't have the Proxo code, it will become less and less relevant but I don't see that happening for years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 22:58:49 EDT

Name Game posted : SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/webstore/detai···ggcjblin
These are the sites that happen to use it today

Server support and usage

As of March 2012, there are not many SPDY-enabled websites. Some Google services (e.g. Google search, Gmail, and other SSL-enabled services) use SPDY when available.[26] Google's ads are also served from SPDY-enabled servers.[27]
Twitter has enabled SPDY on its servers in March 2012, making it the second largest site known to deploy SPDY.[28]
Cloudflare is also providing a beta of SPDY on their servers from June 2012, though users who would like to use/test it must be paying customers as SPDY is built on top of TLS, only paying customers can use SSL/TLS Certificates.[29]
In March 2012, the open source Jetty Web Server announced support for SPDY in version 7.6.2,[30] while other open source projects were working on implementing support for SPDY, like node.js,[31][32] Apache (mod_spdy),[33] curl,[34] and nginx.[35]
In April 2012 Google started providing SPDY packages for Apache servers which led some smaller websites to provide SPDY support.[36]
In May 2012 F5 Networks announced support for SPDY in its BIG-IP application delivery controllers.[37]
In June 2012 NGINX, Inc. announced support for SPDY in the open source web server Nginx.[38]
In July 2012 Facebook announced implementation plans for SPDY.[39]
In August 2012 Wordpress.com announced support for SPDY across all their hosted blogs.[40]

»en.wikipedia.org/wiki/SPDY

For Firefox one can do this..but there is no reason to..be more concerned about TLS.

»bugzilla.mozilla.org/show_bug.cgi?id=763163
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 22:49:29 EDT

StuartMW posted :

said by Mele20:

Yeah, I read that thread but that affects those who pirate.

I disagree. I don't pirate but that's not the point. Many ISP's now monitor traffic ostensibly in the name of preventing piracy but who knows what they do with the data they collect. No doubt the three letter agencies get a copy.

The bottom line: it's none of my ISP's (or anyone else's) business what I search for etc. But if you're ok with everything being monitored be my guest.
--
Don't feed trolls--it only makes them grow!

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 22:22:04 EDT

Name Game posted : And you still don't know anything about SPDY and this thread is about Crime..Rizzo and TLS.

And this is a joke

»prxbx.com/forums/showthread.php?tid=2029
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 22:07:09 EDT

Mele20 posted : Yes, TLS is vulnerable although supposedly Fx and SM are now patched according to the Arstechnica artile linked here in this thread.

But I am talking about SPDY and not just in the context of this exploit. You ignored this and instead began discussing TLS which is related but not the subject. I didn't know hardly anything about SPDY until this thread (it is not available on my default browser or my other Fx browser or Opera or IE so this thread is the first I have heard of it). I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly. So, I am talking about SPDY and you deliberately? or obtusely? changed the subject to TLS. :(

I am in the real world. You though wandered off somewhere else.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 21:42:25 EDT

Name Game posted : Then I would remind you that Crime exploits TLS.

"The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack."

And...
»SSL is broken and nearly impossible to fix

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/forums/to···=1262702

Firefox, with "HTTPS Everywhere" (which forces TLS when available), along with "Perspectives" (which polls various certificate notaries to bolster the browsers trust for the Certificate in question) should have been used, if possible.

Sooo..getting back to the real world..

Rizzo confirmed Thursday via email that CRIME exploits that data compression feature of SSL and TLS. However, SPDY -- a networking protocol that uses a similar compression scheme -- is also vulnerable, he said.

»www.pcworld.idg.com.au/article/4···essions/

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 21:07:05 EDT

Mele20 posted : SPDY is an open standard developed by Google so what do you mean by "get real"? I didn't claim Google invented SSL and TSL....geez. Just because you are madly in love with Google doesn't mean everyone is or that your admiration and love is not misplaced.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 21:04:20 EDT

anon posted : SPDY ON on Firefox 15!!! not on 10ESR

No wonder why Firefox Mobile has discontinued 10.0.7 ESR and force users to use 15.0.1

Just turned off SPDY in Firefox mobile 15, Thx a million!!! Shame Mozilla!!!

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:59:06 EDT

Mele20 posted : Oh...the pirating thing....haven't done that in many years...errr...if I ever did. :p Yeah, I read that thread but that affects those who pirate. The ISPs have always been able to track the users so the only difference now is they will do so in connection with RIAA and that is the pits but unless you are a current pirate how does it affect you differently from before this?

I would be very pissed if my idiot state legislature had passed that hairbrained law that one representative introduced last session because she didn't know how to properly protect her website, but that got canned and I don't equate looking for pirates to be anything like what the state law would have been if passed and implemented. It is this latter crap that we must protest and stop.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:30:14 EDT

StuartMW posted :

said by Mele20:

...maybe I am missing something though.....

I think so.

Your ISP is Going to Spy on You Starting July 12, 2012

quote:
One year ago, the RIAA and the MPAA organized a project with the largest internet service providers in the US to begin monitoring their customer’s internet activity. This monitoring was introduced as a joint coalition to combat piracy.

--
Don't feed trolls--it only makes them grow!

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:27:08 EDT

Name Game posted : Right and google invented SSL and TSL :D :D :D
Get real.
How can you protect yourself from CRIME, BEAST’s successor?
»security.blogoverflow.com/2012/0···ccessor/

Crack in Internet’s foundation of trust allows HTTPS session hijacking
safari info added:

»quickiphoneapps.com/crack-in-int···jacking/

--

Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:26:54 EDT

Mele20 posted : Well, I had forgotten momentarily that Google Sharing extension forces SSL connection. I love the extension but I see no real need for SSL for searches if the extension is scrambling and mixing up my search with a bunch of others. Because I don't use SSL for Proxo it means I see ads on Google searches using Google Sharing.

As for my ISP, well, gee, again I don't see why I should get upset about them theoretically being able to see every where I go. That has been the case since I got a computer in 1999. Why the sudden concern now, but not for all these past years? My ISP has never betrayed me (except for trying to force their search page for urls that are mistyped but I could easily and permanently opt out), but Google sure would just as Facebook, etc would.. and Yahoo...I haven't been to Yahoo about 10 years. They are the worst for betrayal and snooping...but my ISP? As I said, why would that suddenly concern me when it hasn't in all these years? I haven't seen my ISP suddenly becoming evel...maybe I am missing something though.....
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:15:38 EDT

Mele20 posted :

said by Name Game:

SPDY is an open standard developed by Google to speed up Web-page load times and often uses TLS encryption.

So, this is a Google invention? That explains it. Google wants Proxo dead. (God forbid that any of us be able to block Google ads). Screw Google. I am so glad I don't use ANY of their crap except their search engine and I have Google Sharing extension on Fx and SM to thwart Google tracking me when using their search engine.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:13:38 EDT

StuartMW posted :

said by Mele20:

It puzzles me why there is a push for secure browsing when it is just ordinary browsing.

Because using HTTPS makes snooping harder. I use SSL with Google/GoogleSharing to prevent my ISP from monitoring my searches. Bob might still be able to see stuff but without going to great lengths I can't stop that :(
--
Don't feed trolls--it only makes them grow!

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:07:58 EDT

Name Game posted : Looks to me one would still have to do a MITM for this one.

»blog.whitehatsec.com/crime-mitm-and-xss/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:07:22 EDT

Mele20 posted : Thanks for the link. That was an interesting article. I knew very little about SPDY and any browser until this thread and that article was informative not just for Opera but in a more general way also.

I don't use secure web browsing except for banking or logging in somewhere. It puzzles me why there is a push for secure browsing when it is just ordinary browsing. I saw the Opera article refer to a Fx extension that shows you when SPDY is being used. I hope it will install on SM since I don't have a Fx version that has SPDY.

I wonder if this is the beginning of the eventual end of Proxo? I don't use Proxo SSL because the only SSL I need is for banking, and logging in sites that require that, and the rare times when I purchase something on the internet (and I am extremely reluctant to do that so only if I absolutely have to as I can't find the item here or a reasonable substitute).

I obviously don't care how fast a browser is since my favorite browser is Fx 4 and it is much slower than Opera 12 but Opera 12 is an awful browser. Why sacrifice a good browser on the speed altar? So, I am not in need of SPDY and will disable it on any browser I see it on.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:01:30 EDT

Name Game posted :

Rizzo said that browsers that implement either TLS or SPDY compression are known to be vulnerable. That includes Google Chrome and Mozilla Firefox, as well as Amazon Silk. But the attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. SPDY is an open standard developed by Google to speed up Web-page load times and often uses TLS encryption.

Google and Mozilla have developed patches to defend against the CRIME attack, Rizzo said, and the latest versions of Chrome and Firefox are protected.

CRIME vs startups

»www.youtube.com/watch?feature=&v=gGPhHYyg9r4
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 20:00:41 EDT

StuartMW posted :

said by Mele20:

So this protocol was added to Mozilla browsers within the last six months thereabouts.

FF 12.0, which was released in late April 2012, included SPDY v1 support but it was disabled by default. As I recall v13.0 enabled it by default.

FF 15.0 has SPDY v1 and v2 enabled by default but v3 (supported) is disabled.

As I posted above disabling SPDY doesn't have much effect so just turn it off and be happy (or not) :D
--
Don't feed trolls--it only makes them grow!

Re: Google disables SSL compression in Chrome against new attack

Thu, 13 Sep 2012 19:41:50 EDT

norwegian posted : I did find this link at dev.opera though.

»dev.opera.com/articles/view/oper···y-build/

quote:
SPDY would come in Opera 12.50 (if it's not hit by any major problems)

which isn't too far away? The team may review needs should this all come to head before release I would think? Speculation though.