SSL encryption protects data in transit from the client to the server. This communication happens very rapidly and the encryption effectively makes a secure tunnel for information. The researchers that have cracked SSL used a vulnerability that until now was considered only a theory. Like wormholes.

Duong and Rizzo have created a proof of concept that they call BEAST. The demonstration they use is the decryption of an authentication cookie used to access a PayPal account. The hack penetrates the HTTPS communication and sniffs the data in transit.

The researchers created BEAST from a plaintext-recovery attack. That breaks down a supposed weakness in TLS by guessing the encryption used for blocks of data or packets that are encrypted along the data string. If the first block can be decrypted, then the hacker has the tools to attack the rest of them.

The Register points out that each byte of an encrypted cookie takes about two seconds to breakdown. That is an eternity and makes a long data string difficult to break down quickly. Hence, hackers would need either great patience or have very specific targets in mind. That shows that this SSL decryption is not for the faint-of-heart bad guy but those that are extraordinarily diligent in getting the information they desire.

The SSL vulnerability only works on SSL version 1.0. Versions 1.1 and 1.2 are not affected. That does not really mean anything since almost nobody on the Web has the capability to support versions 1.1 or 1.2. SSL/TLS is notoriously hard to implement and each successive iteration breaks all compatibility with the previous version. That makes updating SSL cumbersome, time consuming and expensive. Almost no entity on the Web uses anything past version 1.0.

Now that researchers have cracked one version, their methodology will be used by those who truly wish to steal information. The motivated always find a way. Web engineers will soon have no recourse but to band together to upgrade SSL across the Internet.

Released under a Creative Commons 3.0 license, the document provides a comprehensive comparison of security features of the commonly used browsers; IE (version 6 and 7), Firefox (version 2 and 3), Safari, Opera, Chrome and the lesser known Android embedded browser.

Browser security has been an ongoing problem over the years and was the first subject discussed during the browser wars panel at the Add-on conference last week. Earlier this year, Robert Hansen and Jeremiah Grossman uncovered an attack known as clickjacking, which gives an attacker the ability to trick a user into clicking where the attacker wants on a site. A good overview can be found on the Computerworld site, which has a clickjacking FAQ:

"In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car."

Clickjacking is one of the issues covered in the security handbook which is divided into three sections:

1. Basic concepts behind Web browsers with reviews of core standards and technologies behind current browsers and their security properties
2. Standard browser security features details explicit security mechanisms and restrictions
3. Experimental and legacy security mechanisms discusses security mechanisms that have either fallen into disuse or never caught on, as well as those yet to prove their worth.

The document appears to be an ongoing project; you can find more details here.

Image Credit: Thanks Darwin Bell