| Computerworld |
Infosec researchers have found a new nasty TLS downgrade attack. While we all knew these old versions of SSL crypto were insecure, it's always been thought hard to walk away...
Update: David Hamilton gets the details downgraded:
Update: David Hamilton gets the details downgraded:
[It] basically takes the Internet's heterogeneity, usually a source of robustness...turning it into a weapon.
…
If a Web server isn't set up to use the most current form of encryption, most browsers will agreeably fall back to an older form. ... But an attacker can actually trigger this "downgrade dance" [then] a malicious party can go to work breaking the encryption using a previously identified attack called Beast.
…
There are a few things you can do to protect yourself. ... In Chrome, you'll have to issue the command-line flag --ssl-version-min=tls1 ... In Firefox, [set] security.tls.version.min [to] "1" ... In Internet Explorer...uncheck "Use SSL 3.0." MORE
