Browser companies react to BEAST attack
As Juliano Rizzo and Thai Duong have demonstrated on Friday, the SSL/TLS encryption used by the great majority of websites has been cracked.
Their BEAST (Browser Exploit Against SSL/TLS) consists of JavaScript code that gets inserted in the user’s browser and works with a network sniffer to decrypt the cookies that carry the information – username and password – that allows users to access their accounts.
According to The Register, the improvements to the approach have resulted in a fast and successful attack – it took only two minutes for the researchers to get their hands on the login credentials of a user effecting payments on the PayPal website.
As it has been pointed out, there are a number of things that a theoretical attacker should have at his disposal to run such an attack in such a way: a super-fast connection and a presence on the same network used by the targeted user. Also, the attack can be successful only if the information he’s after is located time and time again in a constant location of the encrypted data stream, requiring several hundred HTTPS requests before succeeding.
All in all, it seems that at the time being, users are not in immediate danger of having their passwords sniffed out by random cyber crooks, but browser makers have definitely realized that danger can pop up very soon and have started working on a patch months ago, after being notified by the researchers of their breakthrough.
Google researcher Adam Langley pointed out that the cipher block chaining (CBC) flaw used by Rizzo and Duong to effect the attack is not a new vulnerability. It has been known for a decade, but attacks misusing it have been deemed only theoretical.
As the option of updating the TLS encryption to one of the later version immune to this problem is not up to them, Google Chrome developers have for a while now been working on a workaround that is currently being tested and will, hopefully, be soon pushed out into Chrome’s stable channel and not trigger incompatibility problems.
“It’s also worth noting that Google’s servers aren’t vulnerable to this problem. In part due to CBC’s history, Google servers have long preferred RC4, a cipher that doesn’t involve CBC mode,” he added.
Microsoft reacted by issuing a security advisory detailing the problem and has offered a number of workarounds – including prioritizing RC4 encryption over the use of symmetric encryption algorithms – while its engineers are working on a definitive patch.
Mozilla shared with the public the discussion between the researchers and various engineers (from Microsoft and other companies such as Google) working on the patch, giving insight into the process.