Spyware, viruses, & security forum: NEWS - April 13, 2012

"False Start's sad demise: Google abandons noble attempt to make SSL less painful"

Google is abandoning an SSL tweak that significantly reduces the time it takes websites to establish encrypted connections with end-user browsers because the experimental technique was causing problems with too many HTTPS servers.

Google security researcher Adam Langley, who announced False Start in 2010, said on Wednesday it would be disabled in version 20 of the company's Chrome browser. Although the technique reduced the latency of an SSL handshake by 30 percent and worked with the vast majority of websites, it remained incompatible with an unacceptably large number of them, mostly those that used dedicated hardware known as SSL terminators, which offload SSL processing from the servers. [Screenshot]

"These hardware devices terminate SSL connections and proxy unencrypted data to backend HTTP servers," Langley wrote in a post titled False Start's Failure. "I believe that False Start intolerance is very simple to fix in the code and one vendor suggested that was the case. None the less, of the vendors who did issue an update, most failed to communicate that fact to their customers."

Langley went on to say he has experienced similar problems getting manufacturers of SSL products to make changes that protect against an exploit demonstrated in September known as BEAST, which can silently decrypt SSL-protected data that's passing between a webserver and an end-user browser.

Continued : http://arstechnica.com/business/news/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful.ars

Also: Google's False Start gets a real stop