A pair of researchers have unveiled a serious new attack on web browser security.The researchers used this week’s Ekoparty security conference in Buenos Aires to unveil a new tool that attacks TLS and SSL, the cryptographic protocols used to establish secure web connections.
The ability to crack encrypted web traffic removes the safety net that protects you when you’re doing sensitive online tasks like banking or using credit cards.
The tool, known as BEAST (Browser Exploit Against SSL/TLS), compromises TLS by exploiting a vulnerability that has been known about for years but which has been treated as a theoretical problem until now.
owever, although researchers Thai Duong and Juliano Rizzo have significantly raised the stakes it’s probably too early to start hoarding tins of beans and donning our tin foil hats.
Right now the attack can take up to half an hour to execute. Although the researchers have hinted that this can be significantly reduced the fact is that if you have the malicious nature, time and access required to execute this attack then there are probably easier ways to exercise your criminal ambitions.
Even when governments attack weapons manufacturers, they don’t need to get any more high-tech then basic con tricks like spear-phishing.
The danger of BEASTly attacks against TLS has moved a little closer but we probably have enough time to react before it becomes practical.
A good start would be for browser and server vendors to pull their collective fingers out and start supporting versions 1.1 and 1.2 of TLS. Both of them have specific defences against this kind of attack but unfortunately support for them is poor.
Duong and Rizzo tipped off the major browser vendors about their findings months ago but so far the only response appears to have come from the folks at Chrome. A fix for the attack is currently under test in the development version of their browser.
If you run a web server and you’re concerned you may want to take a look at switching them so that they prefer the rc4-sha cipher. It’s widely supported and isn’t vulnerable to this kind of attack.
Although the BEAST attack is targeted at browsers there are plenty of other applications that rely on TLS, not least mail servers. Although BEAST isn’t targeted at them I’m sure it will have raised eyebrows and their vendors will be taking a keen interest. Keep an eye out for updates and advisories.
If you want to know more about how the attack actually works then I recommend you take a look at nickm’s excellent and accessible write-up over at the Tor project.
[naked security]