BEAST still tackles SSL servers

Monday, October 22, 2012 @ 11:10 AM gHale


Just because people become aware of a vulnerability, it does not mean they will mitigate, just look at the lack of patching that truly goes on.

That is why it appears to be no surprise that one year after researchers discovered SSL sites were vulnerable to the BEAST attack, users remain vulnerable.

RELATED STORIES
New Attack Hijacks HTTPS Sessions
Report: Mobile Technology Crime on Rise
Malware Continues to Rise
Malware Bypasses Defenses with Ease

BEAST is short for Browser Exploit Against SSL/TLS, which is a stealthy piece of JavaScript that works with a network sniffer to decrypt the encrypted cookies a targeted website uses to grant access to restricted user accounts, said researchers at SSL Labs.

Of 179,000 popular websites secured with the secure sockets layer (SSL) protocol shows 71 percent (127,000) are still vulnerable to the BEAST attack, according to October figures from SSL Pulse survey.

The latest stats show little change from September figures, down just one percent from the 71.6 percent vulnerable to the BEAST attack.

Exposure to the CRIME attack was also an issue with 41 percent of the sample support SSL Compression, a key prerequisite of the attack.

The CRIME technique lures a vulnerable web browser into leaking an authentication cookie created when a user starts a secure session with a website. Once the hacker has the cookie, he can then use it to log in to the victim’s account on the site.

The root cause of the BEAST attack, first outlined by security researchers over a year ago in September 2011, is a vulnerable ciphersuite on servers. The dynamics of the CRIME attack are more complex but capable of ending at the browser or quashed on a properly updated and configured server.

The SSL Pulse survey also looks at factors such the completeness of certificate chains and cipher strengths, among other factors.

Of the 179,000 sites surveyed 24,400, 13.6 percent, were “secure sites”, according to SSL Labs.



Leave a Reply

You must be logged in to post a comment.