Answer

Does BEAST SSL tool represent an SSL threat?

A pair of researchers recently created a tool called Browser Exploit Against SSL/TLS, or BEAST, which enables an attacker to intercept and decrypt SSL cookies on the same network by performing a "blockwise-adaptive chosen-plaintext" attack on encrypted packets. Does this BEAST SSL tool give attackers a powerful new weapon to break SSL/TLS encryption; how much of a risk does it pose to enterprises, and are there any mitigation tactics that can be put in place?

    Requires Free Membership to View

Ask the Expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

Before we assess the threat posed by the BEAST SSL tool, let's examine the context. Researchers Juliano Rizzo and Thai Duong expanded on Bruce Schneier and David Wagner’s analysis  (.pdf) from 1999. In looking at SSL 3.0, Schneier and Wagner found that, despite several "minor" flaws, including the one mentioned above, SSL was still largely secure enough for broad use.

The vulnerability was classified as theoretical until Rizzo and Duong’s presentation at ekoparty Security Conference 7 in 2011. Once the theoretical bug had a publically known working exploit, browser vendors and other affected software makers released patches to ensure their users were protected from the attacks. The attack presented requires access to the local network and the potential victim to execute JavaScript in his or her Web browser. The general vulnerability is neither HTTPS specific nor does it attack PKI in general, but exploits the underlying SSL/TLS protocol. The working exploit though is HTTPS specific.

The risk to enterprises is fairly low given that most vendors have patched their software, but enterprises need to ensure all vulnerable software is updated in a reasonable time frame to prevent their users from being exploited. Other mitigation steps include restricting JavaScript in Web browsers and using a VPN connection to a trusted network to protect against the man-in-the-middle aspect of the attack. The BEAST SSL tool does give attackers a new tool to attack SSL/TLS encryption, and so it is a viable SSL threat. Looking at the big picture though, even with this attack being patched, there are other attacks such as sslstrip, sslsniff and webmitm that can be used to attack SSL-encrypted connections, so users should remain cautious when using open wireless networks and be careful with SSL connections in general.

This was first published in May 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: