BEAST and SSL... Protect your accounts and users.

I thought this would be valuable information for anyone using SSL (https) on their servers and have not heard about the exploit in SSL.

Due to a recently discovered vulnerability in the way that SSL works, many sites have been found lacking in many ways (particularly with SSL). Banks, major hosts and other providers have been scurrying around to fix these issues (however, many have not).

Instead of repeating all of the details that can be found elsewhere, I have included a link to a page with information on this and a video showing what can happen if the BEAST attack is used (in this case, a PayPal account being taken over without the use of passwords). PayPal (IIRC) were one of the first to fix this problem.

http://blog.zoller.lu/2011/09/beast-summary-tls-cbc-countermeasures.html

If you are using SSL, I would suggest you take a look there first and then check your own server for this and many other attacks which can be fixed by simply editing one line in a config file.

Check you own server at: https://www.ssllabs.com/ssltest/index.html

Once you have checked your own host, you can fix it (if you have root access) by reading and following the information at:

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

If you do not have root access on your host, I would strongly urge you to notify your host if they get less than an "A" on their report.

Many of the major social networks/service providers still fail with this and even more serious exploits.

Got to be safe... In cyberspace, no-one can hear you scream :wink:

Anyway, I thought this would be a good place to let anyone know about this who might not have heard about it over the past few months.

Regards, as always.
Bob.

P.S. wpmudev, if you can comment on this when you have a chance I would be grateful. Just to reassure anyone that might think this is some crazy con/scheme of mine. :wink: Thanks!