Well, here we are again.
So you are login into the banks or Credit card. You made sure that you have the Key in the browser and you think you are safe?
Well, unfortunately, you are not. As most websites including Gmail, Cahoot, Tesco etc use the version 1.0 SSL.
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Trouble is this has been broken. So, you say oh dear. they will send out a fix. Well, the Fix has been out since 2006. But, the websites are somewhat in a chicken and egg problem.
As the normal browser including IE, Chrome, FF etc are set at version 1.0. Although most can use 1.2 which is the most secure. If they did force you to use this level then quite a few of the commercial sites would refuse to work. :o( and of course the site would lose web traffic.
So, they decided to leave it. Now, of course, it is going to come and bite them. As they have left open a way for an attacker to high jacking the session. Trouble is, you will not know.
As you will turn up to the right website and be unaware of anything being wrong. You will see the lock in the browser and to the normal person. Everything would be fine.
So, my suggestion is to convince Google and other Search engines to rate the Websites positions by what SSL level they are using. So, the safe ones that use 1.2 are the ones that don’t.
Personally, I think you would then find a lot of websites migrating to the secure version. Which, then would make the site more secure the default standard. A quick tweak to the browser security settings and everyone would be using 1.2 in a short space of time. Then, the hackers would have to crack the 1.2. Which is going to be a lot more difficult.
The search engines then get the credit for providing a more secure internet. The banks have a very little excuse. They should have completed this upgrade many moons ago.
Well, that’s my point of view. What’s yours?
Thanks for reading.
David Vincent.
Someone was listening!
http://www.bbc.co.uk/news/technology-28687513