{"id":557,"date":"2011-09-27T10:29:41","date_gmt":"2011-09-27T17:29:41","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=557"},"modified":"2016-09-30T02:54:42","modified_gmt":"2016-09-30T09:54:42","slug":"attack-against-tls-protected-communications","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/","title":{"rendered":"Attack against TLS-protected communications"},"content":{"rendered":"

UPDATE 10.18.11: Today, Oracle is releasing a patch update to Java SE to address this vulnerability<\/a>.\u00a0 We recommend that users update their Java plugin to ensure that they have the latest and most secure fixes.\u00a0 Windows users on auto update should start seeing the updates as early as this week.\u00a0 Users can also manually download the update here: http:\/\/java.com<\/a>.\u00a0 Apple distributes Java updates directly for OS X.\u00a0 We will not be blocking<\/a> vulnerable versions of Java at this time, though we will continue to monitor for incidents of this vulnerability being exploited in the wild.
\n<\/em><\/p>\n

Issue<\/p>\n

Juliano Rizzo and Thai Duong recently presented a paper detailing an information stealing attack against TLS-protected communications.\u00a0 The attack is not Firefox specific, and Firefox is not vulnerable in default configurations, however some plugins may be.<\/p>\n

Impact to users<\/p>\n

A successful application of this man-in-the-middle attack would allow an attacker to steal information from encrypted communications. This could include cookie data, which may allow the attacker to impersonate the victim.<\/p>\n

Status<\/p>\n

Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details<\/a> of the attack require the ability to completely control the content of connections originating in the browser which Firefox does not allow.<\/p>\n

The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java<\/a> from the Firefox Add-ons Manager as a precaution. We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so.<\/p>\n

Credit<\/p>\n

This bug was reported by Juliano Rizzo and Thai Duong.<\/p>\n","protected":false},"excerpt":{"rendered":"

UPDATE 10.18.11: Today, Oracle is releasing a patch update to Java SE to address this vulnerability.\u00a0 We recommend that users update their Java plugin to ensure that they have the … Read more<\/a><\/p>\n","protected":false},"author":162,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,45499],"tags":[],"coauthors":[260195],"yoast_head":"\nAttack against TLS-protected communications - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Shannon Prior\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/\",\"name\":\"Attack against TLS-protected communications - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2011-09-27T17:29:41+00:00\",\"dateModified\":\"2016-09-30T09:54:42+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f3d3dfb8403460b18793f5b6c0817b98\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Attack against TLS-protected communications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f3d3dfb8403460b18793f5b6c0817b98\",\"name\":\"Shannon Prior\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a953938dbf7027bc5b72ba2d9d37deb8\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0240db4eef47814a10141a7b6cb75dcb?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0240db4eef47814a10141a7b6cb75dcb?s=96&d=identicon&r=g\",\"caption\":\"Shannon Prior\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attack against TLS-protected communications - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/","twitter_misc":{"Written by":"Shannon Prior","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/","url":"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/","name":"Attack against TLS-protected communications - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2011-09-27T17:29:41+00:00","dateModified":"2016-09-30T09:54:42+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f3d3dfb8403460b18793f5b6c0817b98"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2011\/09\/27\/attack-against-tls-protected-communications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Attack against TLS-protected communications"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/f3d3dfb8403460b18793f5b6c0817b98","name":"Shannon Prior","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/a953938dbf7027bc5b72ba2d9d37deb8","url":"https:\/\/secure.gravatar.com\/avatar\/0240db4eef47814a10141a7b6cb75dcb?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0240db4eef47814a10141a7b6cb75dcb?s=96&d=identicon&r=g","caption":"Shannon Prior"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/557"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/162"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=557"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/557\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=557"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}