[jetty-users] SSLv3/TLSv1 Security Exploit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] SSLv3/TLSv1 Security Exploit

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Thu, 22 Sep 2011 15:19:18 +1000
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
1.0 (and below) was demonstrated that allows an attacker to decrypt
communications between 2 parties.  The demonstration was against a
PayPal Authentication cookie, which took 10 minutes to decipher with
the aid of a packet sniffer and some hostile javascript running in the
browser.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
commonly available in browsers and JVMs.   Java 6 currently only
supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2.  It has not
yet been announced if a TLS 1.1 provider will be made available for
Java 6. As of recently, the browser support for TLS can be seen at
http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations.
 Google Chrome has already announced imminent support for 1.2 and it
is expected that the other browsers will follow shortly (see
http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/).

Jetty when used with it's default configuration of SSL will use the
highest common version of TLS available that is shared by the browsers
and JVM.  Thus if jetty is running on java 7 today, it will
automatically use TLS 1.1 or 1.2 if it is available in the browser.
However there is currently no mechanism to disable protocol versions
within Jetty (unless they are disabled in the JVM).

Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
included and excluded protocols in the configuration of the
SslContextFactory class used to configure SSL clients and server
connectors.  This will allow TLS 1.0 to be excluded once clients that
support it are widely deployed. A stable release of 7.5.2 will be
available next week.

We strongly recommend that you  upgrade your systems (browser and
JVMs) to support TLS 1.1 or later.  For Jetty servers, this currently
means running on java 7.  Until TLS 1.1 is widely available in
browsers, it is recommended that you evaluate the risks of continuing
to provide your services over SSL and TLS.

regards

Prev by Date: Re: [jetty-users] (fixed)5 minute pause with jetty...is this a JVM issue(anyone else seen this?)
Next by Date: [jetty-users] keep getting error 'package xy does not exist' when compiling jsp
Previous by thread: Re: [jetty-users] (fixed)5 minute pause with jetty...is this a JVM issue(anyone else seen this?)
Next by thread: [jetty-users] keep getting error 'package xy does not exist' when compiling jsp
Index(es):
- Date
- Thread

Breadcrumbs