By Susan Bradley/Windows Secrets Newsletter
Hard on the heels of the counterfeit SSL certificates scandal comes a new SSL security threat.
The recent ekoparty Security Conference in Argentina broke the news that encrypted SSL/TLS traffic is vulnerable to attack. But should we rush to install the workarounds?
Are the SSL protocols truly broken? Again?
Microsoft Security advisory KB 2588513, issued September 26, revealed that hackers can decrypt encrypted SSL traffic. But before you yank that Internet connection out of the wall, never to go online again, consider that mitigating factors make a successful attack of this kind extremely difficult to accomplish.
As detailed in Microsoft’s Security Research & Defense blog, a man-in-the-middle attacker must first place himself between you and the server with which you’re communicating — and then must be there exactly at the right time to sniff your traffic.
That said, if you’re still feeling queasy about this new danger, you have two ways to protect yourself. First, formally sign in and sign out of secured sites: don’t just close the browser when you’ve finished your session. Second, you can enable the support of TLS 1.1 and disable TLS 1.0 in Windows 7′s Internet Options (as shown in Figure 1) by using the Fixits in KB 2588513.
This post is excerpted with permission from Windows Secrets.