Putting BEAST into Context

Tuesday, November 29, 2011 @ 01:11 PM gHale


The level of risk to enterprises caused by Browser Exploit Against SSL/TLS (BEAST) identified by researchers in late September is not as severe as first thought.

The Beast first came about as researchers Thai Duong and Juliano Rizzo said they had found a way of breaking the SSL/TLS encryption widely used to guarantee the reliability and privacy of data exchanged between web browsers and servers.

RELATED STORIES
Mitsubishi Heavy Data Transfer
Mitsubishi Heavy Hack: Nuclear Info
Chain of Attacks: From Nations to Hackers
BEAST on Loose; Google gets Ready

Understanding the researchers are experts at what they do, hackers are very unlikely to use the complex attack methodology, said security analysts at Context Information Security, who provided some advice on how to further reduce the risks.

“In effect, BEAST is simply a practical way to exploit an existing theoretical vulnerability in older versions of TLS/SSL (TLSv1.0, SSLv3.0 and lower), commonly used for HTTPS connections,” said Michael Jordon, Context’s research and development manager.

“For an attack to be effective, a vulnerable version of SSL using a block cipher must be used; network sniffing of the connection must be possible; and there also has to be a successful Java applet injection into the same origin of the web site,” Jordon said.

Developers can already increase the complexity and mitigate the risk of malicious content injected within the same origin through actions such as setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking, Jordon said.

Against this backdrop, Context’s research team said in terms of risk, the BEAST attack is similar to not setting the HTTPOnly property on cookies, which is something that is not unusual among websites.

“If people are concerned about the BEAST attack, we suggest they first look to see if their HTTPOnly property is set properly. If it is not, then a BEAST attack would not be needed to deliver the same opportunities to hackers,” Jordon said.

Jordon went on to say the major vendors of browser and server-side technologies have also said they are working on patches for TLS1.0.

Within a controlled environment such as an internal network, he says it may be possible to upgrade all users and servers to products that support TLS 1.1/1.2. However, he said, this could mean some users may have difficulties accessing older web servers.



Leave a Reply

You must be logged in to post a comment.