dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
19

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

2 edits

Name Game to Mele20

Premium Member

to Mele20

Re: Google disables SSL compression in Chrome against new attack

Right and google invented SSL and TSL
Get real.
How can you protect yourself from CRIME, BEAST’s successor?
»security.blogoverflow.co ··· ccessor/

Crack in Internet’s foundation of trust allows HTTPS session hijacking
safari info added:

»quickiphoneapps.com/crac ··· jacking/
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

SPDY is an open standard developed by Google so what do you mean by "get real"? I didn't claim Google invented SSL and TSL....geez. Just because you are madly in love with Google doesn't mean everyone is or that your admiration and love is not misplaced.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

2 edits

Name Game

Premium Member

Then I would remind you that Crime exploits TLS.

"The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack."

And...
»SSL is broken and nearly impossible to fix

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/f ··· =1262702

Firefox, with "HTTPS Everywhere" (which forces TLS when available), along with "Perspectives" (which polls various certificate notaries to bolster the browsers trust for the Certificate in question) should have been used, if possible.

Sooo..getting back to the real world..

Rizzo confirmed Thursday via email that CRIME exploits that data compression feature of SSL and TLS. However, SPDY -- a networking protocol that uses a similar compression scheme -- is also vulnerable, he said.

»www.pcworld.idg.com.au/a ··· essions/
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Yes, TLS is vulnerable although supposedly Fx and SM are now patched according to the Arstechnica artile linked here in this thread.

But I am talking about SPDY and not just in the context of this exploit. You ignored this and instead began discussing TLS which is related but not the subject. I didn't know hardly anything about SPDY until this thread (it is not available on my default browser or my other Fx browser or Opera or IE so this thread is the first I have heard of it). I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly. So, I am talking about SPDY and you deliberately? or obtusely? changed the subject to TLS.

I am in the real world. You though wandered off somewhere else.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

And you still don't know anything about SPDY and this thread is about Crime..Rizzo and TLS.

And this is a joke

»prxbx.com/forums/showthr ··· tid=2029
Name Game

Name Game to Mele20

Premium Member

to Mele20
SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/websto ··· ggcjblin
These are the sites that happen to use it today

Server support and usage

As of March 2012, there are not many SPDY-enabled websites. Some Google services (e.g. Google search, Gmail, and other SSL-enabled services) use SPDY when available.[26] Google's ads are also served from SPDY-enabled servers.[27]
Twitter has enabled SPDY on its servers in March 2012, making it the second largest site known to deploy SPDY.[28]
Cloudflare is also providing a beta of SPDY on their servers from June 2012, though users who would like to use/test it must be paying customers as SPDY is built on top of TLS, only paying customers can use SSL/TLS Certificates.[29]
In March 2012, the open source Jetty Web Server announced support for SPDY in version 7.6.2,[30] while other open source projects were working on implementing support for SPDY, like node.js,[31][32] Apache (mod_spdy),[33] curl,[34] and nginx.[35]
In April 2012 Google started providing SPDY packages for Apache servers which led some smaller websites to provide SPDY support.[36]
In May 2012 F5 Networks announced support for SPDY in its BIG-IP application delivery controllers.[37]
In June 2012 NGINX, Inc. announced support for SPDY in the open source web server Nginx.[38]
In July 2012 Facebook announced implementation plans for SPDY.[39]
In August 2012 Wordpress.com announced support for SPDY across all their hosted blogs.[40]

»en.wikipedia.org/wiki/SPDY

For Firefox one can do this..but there is no reason to..be more concerned about TLS.

»bugzilla.mozilla.org/sho ··· d=763163

FF4m3
@bhn.net

FF4m3 to Mele20

Anon

to Mele20
said by Mele20:

I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly

From SPDY: An experimental protocol for a faster web I learned that SPDY has a goal to reduce the bandwidth currently used by HTTP by compressing headers, an admirable objective.

However, SPDY compresses request and response HTTP headers. Not so good for Proxo's digestive process. Hence my disabling of SPDY capabilities in Firefox.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Name Game

Premium Member

to Name Game
Yes, it started out being about Crime and TLS but it quickly got into SPDY. If SPDY should not be in this thread then please "hey mod" the thread and ask that all the posts on SPDY be moved to a new thread that is open for posts as I, and I think some others, would like to pursue not only the relationship of SPDY and Crime but SPDY more generally.

I'm sure I don't know a lot about SPDY as it is new to me but it is inaccurate for you to claim I know nothing and sounds just like a spiteful remark because you don't like the turn this thread has taken.

Yeah, I was about to go to prxbx and see if there was anything there regarding SPDY. I am not too surprised at that thread. It is very early to be concerned and we don't have Sidki now...stlll...the reply was lacking but that doesn't mean that when push comes to shove that Proxo lovers will not be able to meet the challenge. But the time will come, some day, when, because we don't have the Proxo code, it will become less and less relevant but I don't see that happening for years.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

We have a lot of experts guessing at what Crime might be able to do and how..so we shall see... I do remember in Beast there was a lot of speculation...

Because of Beast this happened..

»blog.torproject.org/blog ··· l-attack

Then users were clamouring for TLS 1.1 or 1.2 support in firefox
»support.mozilla.org/en-U ··· s/781028
Finally someone from Hawaii posted and
You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/v ··· =2310053
Name Game

Name Game to FF4m3

Premium Member

to FF4m3
said by FF4m3 :

said by Mele20:

I don't like the possible threat it poses to Proxo even if you use Proxo with the files that make it able to filter HTTPS sites which I have never done. FF4m3 says he had to disable it in Fx so that Proxo will filter HTTPS correctly

From SPDY: An experimental protocol for a faster web I learned that SPDY has a goal to reduce the bandwidth currently used by HTTP by compressing headers, an admirable objective.

However, SPDY compresses request and response HTTP headers. Not so good for Proxo's digestive process. Hence my disabling of SPDY capabilities in Firefox.

And even though the SPDY is spoken "speedy" It might not really be that fast today...

Performance

An independent study shows that, in testing, the page load time with SPDY is not significantly different on most websites from HTTP or HTTPS,[41] because old optimization techniques such as splitting the content between many hosts prevent pipelining from taking place.

Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Name Game

Premium Member

to Name Game
Click for full size
said by Name Game:

SPDY indicator
An indicator in the address bar for SPDY usage by each website.
»chrome.google.com/websto ··· ggcjblin
These are the sites that happen to use it today

As of March 2012, there are not many SPDY-enabled websites.

For Firefox one can do this..but there is no reason to..be more concerned about TLS.

»bugzilla.mozilla.org/sho ··· d=763163

I only have SPDY on SeaMonkey and earlier today I disabled it in about:config. That was after I tried to install the SPDY indicator 2.1 and it won't install on SM.
»addons.mozilla.org/en-US ··· /?src=ss

So, I disabled SPDY as I would want to know when it is being used. Then I went to SM support newsgroup and asked about the extension and if/when it will be available for Sea Monkey or if there is a trick to get it working now on SM. I got one reponse so far and it was "Huh"? Someone who didn't know about SPDY like I didn't until this thread.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

2 edits

Name Game

Premium Member

Click for full size
Are you Desiree ???
»groups.google.com/forum/ ··· fZTLW9Ak

»github.com/chengsun/moz- ··· issues/2

»support.google.com/chrom ··· ndicator
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Name Game

Premium Member

to Name Game
said by Name Game:

Have they told you if proxo with work with Windows 8..I hear it might be compatible but not tested..

You might understand it all more in this thread where scarlettrunner20
shows people how to do a little test at "boh.com" The Bank of Hawaii .
»forums.mozillazine.org/v ··· =2310053

Proxo should work on Windows 8. As long as the web is based on HTTP protocol Proxo should work. Some sites may have problems when filtered by Proxo but that has always been the case and SPDY could pose some problems. When Sidki left public Proxo development after his 10/2010 filters gift to us users, he gave his notes, etc. to JJoe and JJoe gave us a filter set updating Sidki's last set in 12/11. I still use Sidki's 10/2010 filters on my host machine and JJoe's on virtual machines.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Name Game

Premium Member

to Name Game
said by Name Game:

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

But for Opera this was the problem even in Jan 2012

»my.opera.com/community/f ··· =1262702

Quite a good link. However it is interesting in this quote:
quote:
The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.
Well, what can you say. It is all too similar to a lot of Internet browsing.

You have to allow for it to be a reply to a request. What we need to do is create an environment whereby that initial handshake doesn't allow all, doesn't allow by default, looks for certain strings....guess to some extent that may happen already and you to become pwoned....

So to start with not allowing anything but still recognize the link it needs....love to be able to have that signed in my name.
norwegian

norwegian to Name Game

Premium Member

to Name Game
said by Name Game:

TLS 1.1 .... .... should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

That comment seems to have merit. Turning it on has evolved my browsing experience.

caffeinator
Coming soon to a cup near you..
Premium Member
join:2005-01-16
00000

caffeinator to Name Game

Premium Member

to Name Game
said by Name Game:

If you use Opera..even many month ago..

SSL2 should be disabled.
TLS 1.1 and TLS 1.2 should be enabled and are preferred, though TLS 1.2 was not yet supported on many servers

Hmm...

I'm still using Opera 11.64 on this box. Even so, when checking under security protocols, there is no SSL v2 listed at all. Only SSL v3 and the TLS variants.



Those are the default settings, I haven't had a need to change them.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

You are still funny and if you used opera..you would have done that last year to mitigate the BEAST..I posted that info in many forums myself and you can see it done here

»answers.yahoo.com/questi ··· 5AAjCZy5

»www.phonefactor.com/reso ··· east.pdf

And that is also why I think your panic over Crime..which still not even presented yet... is mostly FUD..Beast was even a bigger problem and caught many with their pants down. Opera is not a guinea pig..it is a browser that has been out there since 1996 and never is really ready for prime time in all of it's development cycle and new versions.
evoxllx
join:2007-06-07
Winter Park, FL

2 edits

evoxllx to Mele20

Member

to Mele20
said by Mele20:

SSL 2 hasn't been around on Opera since version 10 or earlier I think. Hasn't been, I know for sure, on version 11.0 and above.

I don't know what Name Game See Profile is referring to as the Opera forum link he gives points out the futility of starting with TLS 1.1 or TLS 1.2 as 98% of servers are not able to use it. Opera's main security developer explains Opera's reasoning in that thread.

So, Opera, for PRACTICAL reasons, defaults to SSL 3 and TLS 1.0. Why Name Game See Profile thinks Opera should support a protocol that is not supported yet on the web, except in a tiny minority of cases, I don't understand. Opera should be a guinea pig? Why? I think he should clarify his comment.

The percentage of sites that don't support it is irrelevant when the sites that DO support it are some of the most sought after when it comes to these types of attacks, not to mention some of the largest sites/services on the internet.

Google, Facebook, PayPal, CloudFlare, etc.

The reason it's so slow to rollout is mostly due to buggy network devices and servers.

That being said, Opera lacks many things that I think are more important, such as HSTS and ECDHE support.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Exactly...So I would suggest to everyone who thinks the developer of their chosen browser is not on top of this issue of CRIME or any other vulnerability ...to hold off and see what they do..but if you are so paranoid and think the developer is behind the power curve..then start disabling "whatever"..at least you will learn more about your internet ride than you did last week... or change your browser.... I'll let Chrome change my oil and filter.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Name Game

Premium Member

to Name Game
Click for full size
Sigh. Why are you on such a tear?

The screenshot is from my favorite version of Opera, 10 Preview which I downloaded in Aug 2009. It has no Unite. TLS 1.1 is checked. I've had it checked ever since it first appeared in an Opera version long before Beast attack last year.

You'll note from the screenshot that as far back as August 2009, Opera did not have SSL 2. I caught you out on that so I guess you are trying to get folks to forget that by going on about my being "funny". I believe the description fits you better.

"Panic over Crime"? Where in the world did you get that idea? I am concerned about SPDY because of the possible implications for Proxo and the fact that on Sea Monkey the Fx extension won't install so I can't monitor SPDY usage. My other browsers don't use SPDY. How does this translate to "panic over crime'? Geez...you need to stop posting so much as you appear to be getting things all mixed up.

Stop putting words in my mouth. I never said Opera was a guinea pig. Go back and read what I said. I asked if Opera should be expected to START ACTING LIKE A GUINEA PIG by DEFAULTING to TLS 1.2. I pointed out the EXCELLENT reasons a highly respected security developer gave for why Opera defaults to TLS 1.0. YOU want Opera to be a guinea pig because you fault it for not defaulting to TLS 1.2. I do NOT want Opera to be a guinea pig and it is NOT one.

MeDuZa
join:2003-06-13
Austria

MeDuZa to Name Game

Member

to Name Game
said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:
quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller

Premium Member

said by MeDuZa:

said by Name Game:

Exactly...

Not quite so Exactly.
- Opera(12) has HSTS support. evoxllx is wrong.
- Regarding ECDHE support:
quote:
Opera support Forward Secrecy in the form of the Ephemeral Diffie-Hellman (DHE) cipher suites, but not the Elliptic Curve DHE method Google selected to prioritize (At present Opera does not support Elliptic Curve crypto). Google seem to prioritize the ECDHE and RSA/ARC4 above the DHE methods (there is no DHE_RSA/ARC4 ciphersuite defined, which may explain that part; ARC4 is less costly than AES). AFAICT Google does not support the DHE_RSA methods on their server.

In the list of ciphersuites that Opera sends the server, the DHE_RSA ciphersuites are listed as more preferred than the corresponding RSA ciphersuite, so if the DHE method is not selected it is because the server either does not support the cipher suites (as is the case on google.com), or decided not to select it based on its own list of prioritized ciphersuites.

ECC needs to become the standard already. It is much more efficient than RSA (it uses much smaller keys, but they are equally secure at a smaller size). Instead of a 2048 bit RSA key, you can get equivalent strength from a 224 bit ECC key, which makes it much faster and efficient.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Mele20

Premium Member

to Mele20
Some people are still using older versions of Opera just like you are still using Firefox versions 4.0.1 28.
You also have the new Sea Monkey 2.12.1 which became available 10 September, 2012 which now has Spdy.
so get an older version
»dev.oldapps.com/seamonke ··· key=8200

This SPDY thing you are on about trying to destroy Proxo is still funny and the only guinea pigs (no caps needed) I know with Opera are the users who try to get their final releases to work over the years. That's why many stick with older versions. Sound familiar ?