Since September 19, a couple of news items have (http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ https://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611 ) been released that do not provide much confidence with the viability of ebanking security with SSL. More details are expected in the next few days.
As a work around, the preferred solution would be to use a web browser that only supports TLS1.1 or later (with SSL3.0 and TLS1.0 disabled) and ONLY connect to sites that support TLS1.1. In my brief test on September 20, Paypal, wellsfargo, Citibank and bankofamercia do NOT successfully pass the test. With the SSL3.0 disabled, and TLS1.1 enabled, the pages will not load on Internet Explorer version9 (which is the ONLY browser I am aware of that supports TLS1.1 – and it is not enabled by default). That result implies that the web sites themselves do not support TLS1.1 or later. Both the client browser side and the web server side will require support to comprehensively address the vulnerability.
I will provide more information as it becomes available. Using other services (such as a smart phone application) for ebanking are recommended until that is forthcoming.
Update September 27
Late yesterday, Microsoft provided a link to their recommendations on how to reduce the risk associated with the SSL sessions being compromised with the Beast proof of concept. The Microsoft solution depends on the use of Internet Explorer version 9 configured to use TLS1.1 or 1.2 only, in addition to only establishing SSL connections to web servers that support TLS 1.1 or 1.2. Microsoft also recommends setting the Internet and local Intranet security zones to ‘high’ to block ActiveX controls or active scripting for these security zones. Alternatively, Internet Explorer could be configured to prompt the user before running ActiveX controls or active scripting for Internet or local Intranet security zones. Please see the following URL for additional details for setting these browser options – http://technet.microsoft.com/security/advisory/2588513
Staff using the Firefox browser from Mozilla can download and install the http://noscript.net/ plugin for Firefox. It will allow you to set what sites are allowed to execute javascript code. By only allowing the sites that are trusted, the potentially malicious code (in this case the javascript application known as beast – http://ekoparty.org/2011/juliano-rizzo.php, however other versions are likely expected ) that has been used to perform the proof of concept can be prevented from being installed on workstations.