Skip to main content

SSL/TLS Protocol Vulnerability

Last Update Date: 3 Oct 2011 Release Date: 30 Sep 2011 7019 Views

RISK: Medium Risk

TYPE: Attacks - Other

TYPE: Other

A vulnerability has idenitied in SSL/TLS using Cypher Block Chaining (CBC), which can be exploited by malicious people to conduct Man-in-the-middle attack to decrypt encrypted SSL/TLS traffic and obtain sensitive information.

 

A proof of concept attack had released.


Impact

  • Information Disclosure

System / Technologies affected

  • Any Internet software and network devices using the cipher suites of SSL v3.0/TLS v1.0 with CBC mode.

 


Solutions

  • For General user
    • Use web browsers which do not affected by this vulnerability, e.g. Firefox, Google Chrome v14 or above, Opera v11.51 or above
    • Enable support for TLS v1.1 and/or TLS v1.2 in the web browsers
  • For IT Administrator
    • Disable those ciphers utilise Cypher Block Chaining (CBC)
    • Enable support for TLS v1.1 in server software/network device
    • Prioritize the use of the RC4 algorithm over block ciphers in server software

    Remark: Please test the setting before apply it.

 


Vulnerability Identifier

 


Source

 


Related Link