You use PayPal and shop online, like most people out there, but here’s a scary story that will make you think twice before purchasing anything online again.
It even affects the security of your online banking and financial transactions. But wait, you think just because you’re using a bank’s “secure website” that you have nothing to worry about?
Turns out there is yet another online security worry affecting consumers.
Retailers, banks, and other online retailers use secure websites — HTTPS (Hypertext Transfer Protocol Secure) — to provide secure transactions. You can tell if a website is a “secure” one if it has “https” in its URL and has a small lock symbol next to it.
SSL, or Secure Sockets Layer, is the technology behind HTTPS. SSL creates an encrypted link between a website and your browser and ensures that all data passed between them remains private. TLS, or transport layer security, is the successor to TLS.
Up until now, everyone has assumed that if a website is using HTTPS for online transactions, it means that it is completely safe. But just in the past few weeks, researchers have discovered a serious weakness in this technology that allows hackers to read and steal supposedly encrypted data.
At a security conference in Buenos Aires, two researchers, Thai Duong and Juliana Rizzo, demonstrated a program they developed called BEAST (Browser Exploit Against SSL/TLS) that exposes this vulnerability. This program can read encrypted-data websites used to grant access to restricted user accounts. In their demo, Duong and Rizzo decrypted cookies used to access a PayPal account.
How the Attack Works
This vulnerability is just the latest found in HTTPS that almost all online retailers use to protect online transactions and to prove that their website is not counterfeit.
In the past, researchers have found ways to validate untrustworthy websites.
The way that Duong and Rizzo attack SSL/TLS is different, with the researchers noting:
“BEAST is different from most published attacks. While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”
BEAST exploits a vulnerability in TLS that scrambles block-after-block of data using the previously encrypted block.
Right now, it takes BEAST about 30 minutes to decrypt a PayPal authentication cookie, but Duong and Rizzo are working on a way to reduce this time to less than 10 minutes.
Using a personal VPN like PRIVATE WiFi™ is the only way to protect yourself from this kind of attack in a wifi hotspot.
PRIVATE WiFi encrypts all the data moving to and from your laptop, even HTTPS information. This huge security flaw in HTTPS proves that now more than ever, consumers need PRIVATE WiFi to protect themselves.
The simple-to-use PRIVATE WiFi software seamlessly encrypts all the data moving to and from your laptop — even HTTPS information — adding an extra layer of security that protects ALL of your communications.