Browsers Buttress for BEAST Battle

Monday, September 26, 2011 @ 12:09 PM gHale

In a very short time SSL BEAST research will come out and browser vendors will have to come up with new ways to protect their products.

The easiest way to fix the problem would be to upgrade to the newer versions of the security protocols implemented so far. TLS 1.1 and 1.2 are not susceptible to the attack but the problem is most websites don’t support these types of encryption protocols.

BEAST on Loose; Google gets Ready
Attack Breaks Confidentiality Code
Spam Attack Via Bogus Certificates
Oracle Security Holes

Opera has already successfully incorporated the improved protocols which activate by default. However, users can disable the advanced encryption, leaving the browser vulnerable.

As Opera researchers discovered, this upgrade process has pros and cons. Even though TLS 1.1 and TLS 1.2 are relatively old, website builders have not enforced them. On the other hand, website builders have not implemented the new encryption because they fear if their customer’s web application is incompatible, they’ll lose their business.

Internet Explorer 9 can protect users against SSL attacks but only if they activate the later versions manually. The downside is if the accessed webpages don’t support these variants, the site’s visitors will not be able to properly access the content.

Google officials are patching Chrome.

Mozilla’s Firefox products only support SSL 3.0 and TLS 1.0 which are highly vulnerable to attack.

Thierry Zoller of G-SEC, a non-commercial and independent group of information security specialists based in Luxembourg, offered some advice on measures to take in order to have an SSL configuration that would not be so exploitable. An Elliptic key cryptography as preferred cipher, the use of AES as encryption algorithm, a minimum encryption key length of 128-bit and revoked support for SSLv2 and SSLv3 are just a few recommendations.

Leave a Reply

You must be logged in to post a comment.