Forgot your password?
typodupeerror

Comment: Re:The problem is not Java (Score 1) 309

by briansmith (#37560138) Attached to: To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

No matter what we do to the browser's TLS implementation, this attack would still be possible via Java, because Java has its own TLS implementation.

We are already working on proactively mitigating any improvements on the BEAST attack that could be made to work using native browser features that would be affected by changes to our TLS implementation. But, right now, there are no known ways to implement the attack using built-in browser features.

Comment: Re:Won't help (Score 1) 309

by briansmith (#37560044) Attached to: To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

There may indeed be other vectors for an attack that use built-in browser features. However, some characteristics of how the browser manages connections and how it formats HTTP requests would defeat most (all, as far as we know at this time) variations of the attack that use built-in browser features.

Comment: Re:Java still there (Score 1) 309

by briansmith (#37559954) Attached to: To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

Implementing that workaround in the browser will not help when the attacker users Java, because the Java Plugin does not use the browser's TLS implementation; it uses its own.

An Oracle engineer is the one that came up with that technique for interfering with the exploit.

We are going to implement it. I am finalizing the patch now.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...