Broadband Tech > Security > Security > Google disables SSL compression in Chrome against new attack

reply to Name Game

Re: Google disables SSL compression in Chrome against new attack

Right and google invented SSL and TSL
Get real.
How can you protect yourself from CRIME, BEAST’s successor?
»security.blogoverflow.com/2012/0···ccessor/

Crack in Internet’s foundation of trust allows HTTPS session hijacking
safari info added:

»quickiphoneapps.com/crack-in-int···jacking/

--

Gladiator Security Forum
»www.gladiator-antivirus.com/

SPDY is an open standard developed by Google so what do you mean by "get real"? I didn't claim Google invented SSL and TSL....geez. Just because you are madly in love with Google doesn't mean everyone is or that your admiration and love is not misplaced.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Then I would remind you that Crime exploits TLS.

"The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack."

And...
»SSL is broken and nearly impossible to fix

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/forums/to···=1262702

Firefox, with "HTTPS Everywhere" (which forces TLS when available), along with "Perspectives" (which polls various certificate notaries to bolster the browsers trust for the Certificate in question) should have been used, if possible.

Sooo..getting back to the real world..

Yes, TLS is vulnerable although supposedly Fx and SM are now patched according to the Arstechnica artile linked here in this thread.

But I am talking about SPDY and not just in the context of this exploit. You ignored this and instead began discussing TLS which is related but not the subject. I didn't know hardly anything about SPDY until this thread (it is not available on my default browser or my other Fx browser or Opera or IE so this thread is the first I have heard of it). I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly. So, I am talking about SPDY and you deliberately? or obtusely? changed the subject to TLS.

I am in the real world. You though wandered off somewhere else.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

And you still don't know anything about SPDY and this thread is about Crime..Rizzo and TLS.

And this is a joke

»prxbx.com/forums/showthread.php?tid=2029
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

reply to Mele20
SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/webstore/detai···ggcjblin
These are the sites that happen to use it today

reply to Mele20

reply to Name Game
Yes, it started out being about Crime and TLS but it quickly got into SPDY. If SPDY should not be in this thread then please "hey mod" the thread and ask that all the posts on SPDY be moved to a new thread that is open for posts as I, and I think some others, would like to pursue not only the relationship of SPDY and Crime but SPDY more generally.

I'm sure I don't know a lot about SPDY as it is new to me but it is inaccurate for you to claim I know nothing and sounds just like a spiteful remark because you don't like the turn this thread has taken.

Yeah, I was about to go to prxbx and see if there was anything there regarding SPDY. I am not too surprised at that thread. It is very early to be concerned and we don't have Sidki now...stlll...the reply was lacking but that doesn't mean that when push comes to shove that Proxo lovers will not be able to meet the challenge. But the time will come, some day, when, because we don't have the Proxo code, it will become less and less relevant but I don't see that happening for years.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to Mele20

reply to Mele20
Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

We have a lot of experts guessing at what Crime might be able to do and how..so we shall see... I do remember in Beast there was a lot of speculation...

Because of Beast this happened..

»blog.torproject.org/blog/tor-and···l-attack

Then users were clamouring for TLS 1.1 or 1.2 support in firefox
»support.mozilla.org/en-US/questions/781028
Finally someone from Hawaii posted and
You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/viewtopic···=2310053
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

reply to FF4m3

reply to Name Game

reply to FF4m3

reply to Name Game

reply to Mele20
You are so funny..then stop using google and stop ranting about it.

reply to Mele20

reply to Name Game

quote:

---

The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.

---

reply to Name Game