
Chrome and the BEAST - wglb
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
======
rednaught
Additional security blogs regarding this vulnerability:

[http://hackersmag.blogspot.com/2011/09/beast-beating-ssl-
tls...](http://hackersmag.blogspot.com/2011/09/beast-beating-ssl-tls-what-you-
can-do.html)

[http://www.phonefactor.com/blog/slaying-beast-mitigating-
the...](http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-
ssltls-vulnerability.php)

[http://www.schneier.com/blog/archives/2011/09/man-in-the-
mid...](http://www.schneier.com/blog/archives/2011/09/man-in-the-midd_4.html)

Some comments: Appears RC4 is not FIPS approved if you need to do government
work. Also, not all sites are RC4 compatible.

~~~
marshray
This one is from Eric Rescorla, a coauthor of many of the recent TLS RFCs:
[http://www.educatedguesswork.org/2011/09/security_impact_of_...](http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html)

------
alecco

      > note I don't have their paper) they say they don't need any heightened
      > Java privileges. What's a little confusing here is exactly how
      > they are getting past same-origin issues.
    

They don't need same-origin. Juliano confirmed this to me a couple of days
ago. And the leaked paper shows how they do it.

<http://news.ycombinator.com/item?id=3032278>

Edit: Either I got copy-paste fat fingers or he changed the blog post; but I
did copy that part from somewhere...

~~~
nbpoole
You copied it from
[http://www.educatedguesswork.org/2011/09/security_impact_of_...](http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html)

~~~
alecco
Oops, thanks. My bad.

