As many have heard by now, a JavaScript exploit has been proclaimed to exist which can intercept and decrypt (offline, due to slowness) SSL 3.0 and TLS 1.0 traffic, which most websites use for securing sessions. While this is a rather interesting concept, as the sourced article points out (link below), this is nothing new. We have been asked frequently over this past weekend if we had any knowledge of this exploit, its actual attack vector, whether this will cause serious damage to the internet as a whole, and the inevitable "can I use this to hack Facebook/E-mail/MySpace/whatever".
As best as we can tell, while this may truly pose a serious risk if successfully injected into a secure website via an exposed cross-site scripting exploit, we and many others do not believe this will cause any real problems. At this time, Mozilla, Google, and perhaps also Microsoft are working to secure their browsers against this for future releases.
HackThisSite still intends on preparing a fully-SSL/TLS encrypted capability for the website and forums in spite of this potential exploit. Within the next couple website updates, we will be releasing our Root CA (for use with the website, IRC, and anywhere else we will be using SSL).
If anyone has anything further to add on this story, please feel free to post a comment. Also, articles concerning this exploit are more than welcome.
Source:
Ars Technica