Author Archives: Hacker Medic

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 39.0

Revision Note: V39.0 (April 15, 2015): Added the 3049508 update to the Current Update section.Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Ser…

Stay up to date on potential changes to RC4 encryption algorithm

Twitter Card Style: 

summary

index.jpg

All the major browsers provide “security user interface”, meaning visual elements to inform the user of the security of their connection to the web page they’re visiting. Up until now, those interface elements were tied to the use of SSL/TLS certificates served by the web site. For example, if you went to http://www.example.com, no special elements would be displayed, but if you visited https://www.example.com, you would see a lock icon indicating the presence of a trusted SSL/TLS certificate. You would also see in the address bar the name of the company responsible for the web site, if the web site used an EV certificate. Most browsers change user interface indicators for mixed content (when a secure page loaded scripts, images or other content from a non-secure site).

Some browser vendors are planning to warn users about potential weaknesses in RC4, a popular stream encryption algorithm used in various ciphersuites defined for SSL/TLS, by changing their security user interfaces.

Concerns about RC4 have led the Internet Engineering Task Force (IETF) TLS Working Group to declare that “RC4 can no longer be seen as providing a sufficient level of security for TLS sessions.”, even though it was the preferred method of defense against the BEAST attack years ago.

If your browser and the website you’re visiting negotiate to use a ciphersuite that includes RC4, browsers will warn you by a security user interface change. If the site has an EV certificate, the browser may decline to show the EV display. This is important to understand, since users may expect that security user interface warnings indicate a problem with the website’s certificate, but there may be nothing wrong with the certificate or its chain.

Perhaps more importantly, browser vendors are considering security user interface warnings if RC4 is used in any sub-connection used to build a page. Recall that most modern web pages are built on the fly from multiple sources: static images may be served by a Content Distribution Network (CDN), scripts may come from open source sites, and seal images may be served by the Certificate Authority that issued the website’s certificate. The use of RC4 in any of those connections could result in a broken lock icon or the loss of EV display.

We’re not arguing that it’s unwise to warn about RC4 in a sub-connection – we’re just concerned that many website owners may assume something is wrong with their certificate, and it’s very difficult to determine which sub-connection used RC4 and was responsible for the user interface downgrade. Browser vendors can help by developing enhanced error reporting that pinpoints the cause of the downgrade, allowing website owners to quickly remediate the problem. By the way, remediation would consist of re-configuring the offending web server to de-prioritize or remove those ciphersuites that use RC4. Modern alternatives exist that do not use RC4 and therefore are not affected by its weaknesses.

Symantec provides web-based tools like SSL Toolbox to detect problems with SSL/TLS certificates and chains. We’re also investigating tools and methods to locate websites that still use RC4, to help our customers address RC4-related issues and restore favorable security user interface indicators.

2015 ????????????????????????????

      No Comments on 2015 ????????????????????????????

第 20 期的賽門鐵克網路安全威脅研究報告 (ISTR) 顯示,網路攻擊者正透過綁架公司的基礎架構來滲透網路,同時也會透過一般使用者的智慧型手機和社交媒體從他們身上敲詐一筆。

Read More

2015 Internet Security Threat Report: Attackers are bigger, bolder, and faster

Volume 20 of Symantec’s Internet Security Threat Report (ISTR) reveals that cyberattackers are infiltrating networks and evading detection by hijacking company’s infrastructures, while also extorting end-users via their smartphones and social media.

Read More

3009008 – Vulnerability in SSL 3.0 Could Allow Information Disclosure – Version: 3.0

Revision Note: V3.0 (April 14, 2015): Revised advisory to announce with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11, and to add instructions for how to undo the workarounds.Summary: Mi…