Researchers Break Browser Encryption that Protects Almost the Entire Internet

Illustration for article titled Researchers Break Browser Encryption that Protects Almost the Entire Internet

Do you use Gmail? How about Facebook? Maybe Amazon? All of these rely on SSL, an encryption technology that keeps what goes between you and a website. It's the little lock icon. Now two guys say they've cracked the code.


Thai Duong and Juliano Rizzo are these two guys. This week, The Register reports, they'll show the world how to kill PayPal's SSL with only an itsy bitsy piece of code, unraveling the entire encryption process and leaving your ostensibly private data open to eavesdroppers. The implications for this are massive.

The problem lies with what's called TLS, the newest generation of SSL. TLS 1.0 is vulnerable. TLS 1.1 and 1.2 aren't supported by any browsers. Websites don't want to switch from 1.0, because they don't want to lose everyone who visits their site. This is pretty complicated.

If an exploit is released into the wild, both browser devs and website operators will be forced—lest they wittingly put their users into a possible security nightmare—to upgrade to a more secure encryption version. The transition, I suspect, won't be entirely smooth. But be glad Duong and Rizzo found it before someone who isn't planning on demonstrating it to a legitimate security conference. [The Register]

You can keep up with Sam Biddle, the author of this post, on Twitter, Facebook, or Google+.



Ugh wow Giz waayy to spread more misinformation. SSL is NOT TLS. So if they broke SSL users are still protected by TLS as that takes precedence over SSL. TLS 1.0 IS vulnerable and has been known for years which is why TLS 1.1 and 1.2 have been made, which ARE supported. Why say they aren't when you can go right into your internet options and check/uncheck the boxes?