BEAST-driven SSL attack not as bad as it seems claims Context

As reported previously, the researchers - Thai Duong and Juliano Rizzo – reported they had found a way of breaking the SSL/TLS encryption that is widely used to guarantee the reliability and privacy of data exchanged between web browsers and servers.

After analysing the researcher’s findings,Context says that hackers are very unlikely to use the complex attack methodology and have provided some advice on how to further reduce the risks.

“In effect, BEAST is simply a practical way to exploit an existing theoretical vulnerability in older versions of TLS/SSL (TLSv1.0, SSLv3.0 and lower), commonly used for HTTPS connections”, said Michael Jordon, the firm’s research and development manager.

“For an attack to be effective, a vulnerable version of SSL using a block cipher must be used; network sniffing of the connection must be possible; and there also has to be a successful Java applet injection into the same origin of the web site.”

According to Jordon, developers can already increase the complexity and mitigate the risk of malicious content being injected within the same origin through actions such as setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking.

Against this backdrop, Context’s research team argues that - in terms of risk - the BEAST attack is similar to not setting the HTTPOnly property on cookies, which is something that is not unusual among websites.

“If people are concerned about the BEAST attack, we suggest they first look to see if their HTTPOnly property is set properly. If it is not, then a BEAST attack would not be needed to deliver the same opportunities to hackers”, Jordon explained.

Jordon went on to say that the major vendors of both browsers and server-side technologies have also announced that they are working on patches for TLS1.0.

Within a controlled environment such as an internal network, he says it may be possible to upgrade all users and servers to products that support TLS 1.1/1.2. However, he notes, this could mean that some users may have difficulties accessing older web servers.


What’s Hot on Infosecurity Magazine?