[conspire] Another XSS (was: OUCH!!! Fwd: SSL cracked)

Rick Moen rick at linuxmafia.com
Tue Sep 20 12:31:21 PDT 2011

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 20 Sep 2011 12:26:18 -0700
From: Rick Moen <rick at linuxmafia.com>
To: Jesse Monroy <jesse650 at gmail.com>
Subject: Re: OUCH!!! Fwd: SSL cracked
Organization: If you lived here, you'd be $HOME already.

Quoting Jesse Monroy (jesse650 at gmail.com):

> ---------- Forwarded message ----------
> From: John Sokol <john.sokol at gmail.com>
> Date: Tue, 20 Sep 2011 11:25:45 -0700
> Subject: SSL cracked
> To: Jesse Monroy <jesse650 at gmail.com>
> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

The attack vector depends on slipping (via JavaScript) an http response 
into results on a query from an https site that's being visited.  If the
user is then dumb enough to ignore advisories saying the current page
has both encrypted and unencrypted content, then mischief is possible,
such as grabbing and then cracking encrypted cookies, as Rizzo and
Duong's demonstration did.  I.e., it's yet another variety of cross-site
scripting that relies on the user not caring about security.

John Sokol's melodramatic misinterpretation notwithstanding, Rizzo and
Duong did not 'crack SSL'.  The cited JavaScript trick enabled them to
do a chosen-plaintext attack against the AES symmetric cipher, using
their privileged MITM (man in the middle) position and feed the cipher
chosen data until they're able to determine the session key.  That
doesn't in any way 'break' AES or any SSL variant (even TLS 1.0) more

Running the HTTPS-Everywhere Firefox extension is probably sufficient to
make this slight wrinkle on prior attack go away (I'd have to think 
about it), but RequestPolicy definitely suffices, because it puts the
kibosh on XSS attacks against Mozilla browsers generally.


----- End forwarded message -----

More information about the conspire mailing list