New JavaScript hacking tool can intercept PayPal, other secure sessions

[mrkurt]

I could be wrong, but I'm pretty sure that 1999 Schneier paper is unrelated. Saying SSL has known plaintext is like saying a car can be stolen because it has wheels.

And the 2009 MITM attack didn't have any thing to do with decrypting traffic.

[jness]

To protect against this attack on Windows 7 and WS08 R2 client-side when browsing to sites that support it, enable TLS 1.1:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

If both client and server support TLS 1.1, the conversation will use TLS 1.1 and this attack will not work. This vulnerability demonstration will probably prompt websites such as PayPal to consider adding TLS 1.1 support.

If you host a website using IIS on Windows Server 2008 R2, you can enable TLS 1.1 server-side as an option for customers that have enabled it client side. That regkey is

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000

[Sidnicious]

It's important to be clear that this is a man-in-the-middle attack — it only works when the attacker is on your network and can see the traffic going between your computer and the website.