Researchers Crack SSL Encryption

“Two security researchers, Thai Duong and Juliano Rizzo, are scheduled to demonstrate their BEAST (Browser Exploit Against SSL/TLS) at the Ekoparty security conference, but information about it was released previously and has created quite a stir in the security community, still rattled by the recent demonstration of fallibility of the CA trust system. BEAST is like a cryptographic Trojan horse -an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection. It decrypts the cookies that carry the information – username and password – that allows users to access their accounts . Although TLS 1.1 has been available since 2006 and isn’t susceptible to BEAST’s chosen plaintext attack, virtually all SSL connections rely on the vulnerable TLS 1″, the media reported. Duong shared with The Register : “BEAST is different than most published attacks against HTTPS. While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests .” Duong also claimed that with recently made improvements, it is able to decrypt a typical 1,000 to 2,000 characters long cookie in under ten minute.” What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa,” he added. And the experts say: “It means that encrypted transactions on PayPal, GMail, and many other websites are vulnerable to eavesdropping by hackers, or the Mullahs and other state thugs, who are able to control the connection between the end user and the website he’s visiting.”

qualys_tls_breakdown.png

The Register also adds: “Chief culprits for the inertia are the Network Security Services package used to implement SSL in Mozilla’s Firefox and Google’s Chrome browsers, and OpenSSL, an open-source code library that millions of websites use to deploy TLS . In something of a chicken-and-egg impasse, neither toolkit offers recent versions of TLS, presumably because the other one doesn’t. Ristic, who presented his findings at the Black Hat security conference in August, has found additional evidence that websites often delay deploying upgrades that fix SSL security holes. His analysis found that as much as 35 percent of websites had yet to patch a separate TLS vulnerability discovered in November 2009 that made it possible to inject text into encrypted traffic passing between two SSL endpoints . Researches said upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies”. The media also added: “Also, that other applications that use the vulnerable TLS version – such as instant messaging and VPN programs -could be attacked with BEAST And if you’re wondering why a wide implementation of the newest versions of TLS has never happened even though they were released five and three years ago (respectively), the answer lays in the fact that updating it often means that other widely used technologies and popular applications won’t work as they should . This was corroborated by Duong, who say that they have been working with browser and SSL vendors since early May, but that every single proposed fix is incompatible with some existing SSL applications. The revelation that the last two versions (1.1 and 1.2) of the TLS cryptographic protocol are safe from such an attack gives almost no satisfaction, as the overwhelming majority of websites protected by it support version 1.0″, the media added. Now some Iranians ask: “Do the Mullahs use BEAST or the Mullah Beast ? Apparently the Mullah Beast is more dangerous than BEAST” And apparently Iranians only can have bad news in these days !

Comments are closed.

%d bloggers like this: