SSL is a critically important part of Internet security and it has come under increasing scrutiny in recent months. Last Friday, a pair of security researchers demonstrated a new attack called SSL BEAST at a conference in Brazil. Researchers Thai Duong and Juliano Rizzo leveraged weaknesses in cypher block chaining (CBC) in order to exploit SSL.
“The SSL standard mandates the use of the CBC mode encryption with chained initialization vectors (IV),” the researchers wrote in a white paper detailing their research. “Unfortunately, CBC mode encryption with chained IVs is insecure, and this insecurity extends to SSL.”
While Google has already taken steps to protect its users, Microsoft sees the risk as being low.
“Microsoft is aware of the industry-wide SSL 3.0 / TLSv1.0 issue demonstrated at a recent security conference which we believe presents low risk to our customers and to the Internet,” Jerry Bryant, Group Manager, Response Communications, Microsoft Trustworthy Computing said in a statement emailed to InternetNews.com. “Windows 7 and Windows Server 2008 R2 support TLSv1.1 and TLSv1.2 but due to compatibility issues with many web sites, are not enabled by default.”