
New JavaScript hacking tool can intercept PayPal, other secure sessions - evo_9
http://arstechnica.com/business/news/2011/09/new-javascript-hacking-tool-can-intercept-paypal-other-secure-sessions.ars
======
mrkurt
I could be wrong, but I'm pretty sure that 1999 Schneier paper is unrelated.
Saying SSL has known plaintext is like saying a car can be stolen because it
has wheels.

And the 2009 MITM attack didn't have any thing to do with decrypting traffic.

------
jness
To protect against this attack on Windows 7 and WS08 R2 client-side when
browsing to sites that support it, enable TLS 1.1:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client] "DisabledByDefault"=dword:00000000

If both client and server support TLS 1.1, the conversation will use TLS 1.1
and this attack will not work. This vulnerability demonstration will probably
prompt websites such as PayPal to consider adding TLS 1.1 support.

If you host a website using IIS on Windows Server 2008 R2, you can enable TLS
1.1 server-side as an option for customers that have enabled it client side.
That regkey is

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server] "DisabledByDefault"=dword:00000000

------
Sidnicious
It's important to be clear that this is a man-in-the-middle attack — it only
works when the attacker is on your network and can see the traffic going
between your computer and the website.

