Huge New HTTPS Vulnerability Found For Online Banking, Retail Stores

online shopping

You use PayPal and shop online, like most people out there, but here’s a scary story that will make you think twice before purchasing anything online again.

It even affects the security of your online banking and financial transactions. But wait, you think just because you’re using a bank’s “secure website” that you have nothing to worry about?

Think again!

Turns out there is yet another online security worry affecting consumers.

Retailers, banks, and other online retailers use secure websites — HTTPS (Hypertext Transfer Protocol Secure) — to provide secure transactions. You can tell if a website is a “secure” one if it has “https” in its URL and has a small lock symbol next to it.

SSL, or Secure Sockets Layer, is the technology behind HTTPS. SSL creates an encrypted link between a website and your browser and ensures that all data passed between them remains private. TLS, or transport layer security, is the successor to TLS.

Up until now, everyone has assumed that if a website is using HTTPS for online transactions, it means that it is completely safe. But just in the past few weeks, researchers have discovered a serious weakness in this technology that allows hackers to read and steal supposedly encrypted data.

At a security conference in Buenos Aires, two researchers, Thai Duong and Juliana Rizzo, demonstrated a program they developed called BEAST (Browser Exploit Against SSL/TLS) that exposes this vulnerability. This program can read encrypted-data websites used to grant access to restricted user accounts. In their demo, Duong and Rizzo decrypted cookies used to access a PayPal account.

How the Attack Works

This vulnerability is just the latest found in HTTPS that almost all online retailers use to protect online transactions and to prove that their website is not counterfeit.

In the past, researchers have found ways to validate untrustworthy websites.

The way that Duong and Rizzo attack SSL/TLS is different, with the researchers noting:

“BEAST is different from most published attacks. While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

BEAST exploits a vulnerability in TLS that scrambles block-after-block of data using the previously encrypted block.

Right now, it takes BEAST about 30 minutes to decrypt a PayPal authentication cookie, but Duong and Rizzo are working on a way to reduce this time to less than 10 minutes.

Using a personal VPN like PRIVATE WiFi™ is the only way to protect yourself from this kind of attack in a wifi hotspot.

PRIVATE WiFi encrypts all the data moving to and from your laptop, even HTTPS information. This huge security flaw in HTTPS proves that now more than ever, consumers need PRIVATE WiFi to protect themselves.

The simple-to-use PRIVATE WiFi software seamlessly encrypts all the data moving to and from your laptop — even HTTPS information — adding an extra layer of security that protects ALL of your communications.

Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Kent Lawson

Kent Lawson is the CEO & Chairman of Private Communications Corporation and creator of its flagship software PRIVATE WiFi. He combined his extensive business and technical experience to develop PRIVATE WiFi in 2010. The software is an easy-to-use Virtual Private Network (VPN) that protects your sensitive personal information whenever you’re connected to a public WiFi network. Follow Kent on Twitter: @KentLawson.

2 Responses

  1. October 3, 2011

    […] websites themselves can provide for your use. But there are still various flaws in HTTPS. Last week I wrote about the underlying encryption technology, called SSL, which has recently been shown to be […]

  2. October 20, 2011

    […] underlying encryption methodology has been broken. It is not easy, and as of now you need to be a security expert to know how to do it. But you can bet that someone […]

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.