Proof of concept code BEAST, which is short for Browser Exploit Against SSL/TLS, that can defeat SSL on an address protected by the HTTPS prefix… which is like every secure site on the Internet.
Researchers Thai Duong and Juliano Rizzo will demonstrate BEAST to decrypt an authentication cookie used to access a PayPal account. They claim to have figured out a way to defeat TLS 1.0/SSL 3.0 by breaking the underlying encryption it uses, allowing eavesdropping on any HTTPS connection. If this is true then your secure connection to your bank, Facebook account, Amazon, Gmail, secure Instant Messaging and even VPN’s (Virtual Private Networks) is potentially worthless.
Initial reports suggested that BEAST requires about two seconds to decrypt each byte of an encrypted cookie, which essentially meant that a typical attack would take about a half hour. However, the researchers now claim to have optimized the code and can accomplish the same feat in under 10 minutes.
BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it’s a legitimate threat.
BEAST only works against TLS (transport layer security) version 1.0 or earlier… the successor to the secure sockets layer technology that provides secure communication between your web browser and an Internet server. TLS version 1.1 and 1.2 do not suffer from the same security vulnerability. Sadly, neither of those are widely implementing in any way because many browsers and sites do not support them.
So why don’t we just start using a later version of TLS? It’s a chicken or the egg scenario. Most browsers don’t support the later versions so websites fail to employ them. Because websites fail to employ them, most browsers don’t implement it. Because the majority of websites and browsers only support SSL 3.0 and TLS 1.0, if somebody switches their sites to only support 1.1 or 1.2 they loses much of their traffic… and vice versa.
Read more at The Register
Leave a Reply