Most observers expect all current capable browsers will enable TLS 1.1 and 1.2 by default soon. Microsoft offers built-in cipher support through its Schannel mechanism as an inherent part of Microsoft Windows. Both Microsoft Internet Explorer (5 and later) and Apple Safari (running on Windows) use Schannel. Schannel currently only offers support for TLS 1.1 and 1.2 on Microsoft Windows 7/Windows Server 2008 R2 (and later). It is unknown what Microsoft plans to do regarding earlier versions of Windows.
In current versions of IE, TLS 1.1 and 1.2 are available, but are not enabled by default. All readers with Internet Explorer should enable TLS 1.1 and 1.2 now. To enable in IE, from the menu choose Tools, Internet Options, and then the Advanced tab. Go to the bottom of the Settings options and enable TLS 1.1 and 1.2. Opera 10.x and later supports TLS 1.1 and 1.2.
Unfortunately, you really aren't fully protected unless you disable all other HTTPS protocols prior to TLS 1.1 and 1.2. Although you can do this in IE and Opera, you'll quickly find out that most websites don't yet support the newer protocols. Some early website surveys are reporting less than 1 percent of HTTPS websites support TLS 1.1 or 1.2.
Google Chrome, Mozilla Firefox, and Safari running on Mac OS X use their own custom cipher engines. Chrome and Firefox use the NSS (Network Security Services) for SSL/TLS support. NSS does not currently support TLS 1.1 or 1.2, so neither Chrome nor Firefox currently support them without an upgrade or fix. Google Chrome will have a custom fix out soon that defangs the BEAST attack by inserting more randomness into TLS 1.0. Mozilla has had bug requests asking for newer TLS support for Firefox going back to March 2008, but so far has not publicly announced its intentions to combat the BEAST attack. Safari on Mac OS X only supports TLS 1.0. For the time being, some users are reverting to IE or Opera for HTTPS-protected websites.
It's another question about whether your mobile device or smartphone supports TLS 1.1 or 1.2. WebKit, which is used by Safari and other browsers, was updated in November 2010 to support the latest versions, but you'll have to test to see if your mobile device has that version.
The BEAST attack is a serious threat against browsers. The MitM requirement will probably slow down the attack's spread in the wild -- which will give websites and browser vendors a window of opportunity to roll over to TLS 1.1 or TLS 1.2 with all deliberate speed. We've known about this vulnerability for at least 10 years. It's a shame that it has taken a real-world attack tool to spur us to abandon protocols that are at least half a decade old.
BEAST is not likely to impact millions of users immediately, but it has serious implications for the unlucky victims. If we're lucky, the BEAST attack will be recorded in history as a wake-up call rather than a wholesale security disaster.
This story, "Red alert: HTTPS has been hacked," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.