# Hacked SSL news 19Sept2011



## WarraWarra (Sep 26, 2011)

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Okay I am sure everyone already heard about SSL being hacked or maybe the news did not arrive here in the USA by ship across the Atlantic or something. 

Score USA 0 , EU 1

Either way does anyone know what or how to get TLS1.1/1.2 working in firefox ?
Or what is good alternative to use for security that most browsers support and that is not hacked on websites ?


----------



## hhumas (Sep 26, 2011)

bad news......... what is the future of paypal


----------



## FordGT90Concept (Sep 26, 2011)

Don't know about Firefox but Internet Explorer 9 has suport for 1.0, 1.1, and 1.2 (I checked IE8 on my server and only 1.0 was available).  The catch: by default, only TLS 1.0 is enabled.  As shown in the pic, I disabled 1.0 and enabled 1.1 and 1.2.


----------



## WarraWarra (Sep 26, 2011)

Thx Ford.
It is amazing that since 2006 1.1 was available and Firefox / others did not bother to implement it or at least have it available like in IE9 for user to choose.

No wonder Firefox4+ and chromium is such a disaster and so useless, all gimmick's and nothing useful.

Wondering if 1.1 / 1.2 is enabled in IE9 and the websites has 1.0 only then would it fall back to 1.0 or fail or best effort 1.1 / 1.2 .

Wondering what the banks are going to do about this, BOA / Chase / others. I can imagine a 4 year old kid with USD$500 for amazon cloud and he is hacking BOA / Chase for fun.


----------



## FordGT90Concept (Sep 27, 2011)

I'm guessing the secure website won't load (give an error of sorts).  Both my little, local bank and Chase HTTPS worked fine for me.  I did not see any messages about it not working with TSL 1.0 disabled.  I couldn't find a way to tell what version of TSL it was using though.


----------



## crazyeyesreaper (Sep 27, 2011)

it should work but since its THERE end thats version 1.0 its them whos likely to get hacked or circumvented not so much you or your browser.


----------



## 95Viper (Sep 27, 2011)

FordGT90Concept, try this:  SSL Server Test

Test of Chase logon site:



> Protocols
> TLS 1.2	 No
> TLS 1.1	 No
> TLS 1.0	 Yes
> ...


----------



## FordGT90Concept (Sep 27, 2011)

So disabling the checkbox in IE9 is broke?  That sucks. 

According to that site, virtually all websites I visit (including secure.newegg.com) are only TSL 1.0 compliant.


----------



## 95Viper (Sep 27, 2011)

Microsoft has info on update and added some info and KBs.

Microsoft Security Advisory (2588513) Vulnerability in SSL/TLS Could Allow Information Disclosure
Microsoft Security Advisory: Vulnerability in SSL/TLS could allow information disclosure
NIST - National Cyber-Alert System
CVE-2011-3389


----------

