Researchers crack SSL encryption
Posted on 21 September 2011.
Two security researchers have found a way of breaking the SSL/TLS encryption that allows the information that passes from browser/user to server and back be reliable and, above all, private.

Thai Duong and Juliano Rizzo are scheduled to demonstrate their BEAST (Browser Exploit Against SSL/TLS) at the Ekoparty security conference of Friday, but information about it was released previously and has created quite a stir in the security community, still rattled by the recent demonstration of fallibility of the CA trust system.

The revelation that the last two versions (1.1 and 1.2) of the TLS cryptographic protocol are safe from such an attack gives almost no satisfaction, as the overwhelming majority of websites protected by it support version 1.0.

BEAST consists of JavaScript code that gets inserted in the user's browser and works with a network sniffer to decrypt the cookies that carry the information - username and password - that allows users to access their accounts.

“BEAST is different than most published attacks against HTTPS,” Duong shared with The Register. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

He also claimed that with recently made improvements, it is able to decrypt a typical 1,000 to 2,000 characters long cookie in under ten minutes. Also, that other applications that use the vulnerable TLS version - such as instant messaging and VPN programs - could be attacked with BEAST.

And if you're wondering why a wide implementation of the newest versions of TLS has never happened even though they were released five and three years ago (respectively), the answer lays in the fact that updating it often means that other widely used technologies and popular applications won't work as they should.

This was corroborated by Duong, who say that they have been working with browser and SSL vendors since early May, but that every single proposed fix is incompatible with some existing SSL applications.

“What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa," he said.






Spotlight

Internet Explorer vulnerabilities increase 100%

Posted on 23 July 2014.  |  Bromium Labs research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //