[olug] TLS 1.0 compromised

T. J. Brumfield enderandrew at gmail.com
Wed Sep 21 19:56:59 UTC 2011


The media seems to be calling this a PayPal exploit, when really is an
exploit with TLS 1.0 in general.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

The problem is that apparently 99% of the web servers in the planet don't
support TLS 1.1 or TLS 1.2 yet. I was looking, and apparently the openssl
builds that most people are running on Apache don't, but the beta releases
of openssl 1.0.1 do.

I wonder if they need to port these features to a stable release as soon as
possible, and also wonder where is the best place to find openssl 1.0.1
packages for each major distro?

-- T. J. Brumfield
"I'm questioning my education
Rewind and what does it show?
Could be, the truth it becomes you
I'm a seed, wondering why it grows"
-- Pearl Jam, Education



More information about the OLUG mailing list