Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment Re:There are some problems with it (Score 3, Interesting) 137

The server operator could modify the javascript it sends to the client, so that the client sends either the key or the plaintext to a place of the operator's choosing.

That would fall under the same category as MITM in this case. You still need to trust the server (or a server, if you prefer)

You could move the client side code to a browser addon/extension, but you'd still have the problem of trusting the extension to behave

Comment Re:There are some problems with it (Score 4, Informative) 137

It runs on ZeroBin, which uses client side javascript to generate a random 256bit AES key, then compress and encrypt the text before sending it to the server. Comments are also compressed and encrypted. The key is never seen by the server, so the server can't decrypt your data.

It uses the Stanford Javascript Crypto Library for its AES code, and its codebase is available on github.

The system is vulnerable to an MITM attack, also a server admin may be able to reveal the poster's identity, but not the post's content


Submission + - Attack Breaks Confidentiality Model of SSL (

Gunkerty Jeb writes: Two researchers have developed a new attack on TLS 1.0/SSL 3.0 that enables them to decrypt client requests on the fly and hijack supposedly confidential sessions with sensitive sites such as online banking, e-commerce and payment sites. The attack breaks the confidentiality model of the protocol and is the first known exploitation of a long-known flaw in TLS, potentially affecting the security of transactions on millions of sites.

The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it's available.


Submission + - Researchers announce TLS1.0 broken ( 3

ludwigf writes: The plaintext-recovery attack exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. At the moment, [their exploit] requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work.

TLS 1.1 fixes the problem but: "Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications," Duong wrote. “What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa.”


Steam Cloud Launches This Week 69

Valve announced yesterday that their extension of Steam, called Steam Cloud, will launch later this week with the Left 4 Dead demo. Steam Cloud is "a set of services for Steam that stores application data online and allows user experiences to be consistent from any PC." We discussed an early announcement for it back in May. Valve adds that "Steam Cloud will be available to all publishers and developers using Steam, free of charge, and Valve will add Cloud support to its back catalog of Steam games. Cloud services are compatible with games purchased via Steam, at retail, and other digital outlets."

Uncertain fortune is thoroughly mastered by the equity of the calculation. - Blaise Pascal