Problem solve Get help with specific problems with your technologies, process and projects.

Does BEAST SSL tool represent an SSL threat?

Expert Nick Lewis analyzes the potential SSL threat that the BEAST SSL tool poses and discusses whether enterprises should be concerned.

A pair of researchers recently created a tool called Browser Exploit Against SSL/TLS, or BEAST, which enables an attacker to intercept and decrypt SSL cookies on the same network by performing a "blockwise-adaptive chosen-plaintext" attack on encrypted packets. Does this BEAST SSL tool give attackers a powerful new weapon to break SSL/TLS encryption; how much of a risk does it pose to enterprises, and are there any mitigation tactics that can be put in place?

Ask the Expert!

Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)

Before we assess the threat posed by the BEAST SSL tool, let's examine the context. Researchers Juliano Rizzo and Thai Duong expanded on Bruce Schneier and David Wagner’s analysis  (.pdf) from 1999. In looking at SSL 3.0, Schneier and Wagner found that, despite several "minor" flaws, including the one mentioned above, SSL was still largely secure enough for broad use.

The vulnerability was classified as theoretical until Rizzo and Duong’s presentation at ekoparty Security Conference 7 in 2011. Once the theoretical bug had a publically known working exploit, browser vendors and other affected software makers released patches to ensure their users were protected from the attacks. The attack presented requires access to the local network and the potential victim to execute JavaScript in his or her Web browser. The general vulnerability is neither HTTPS specific nor does it attack PKI in general, but exploits the underlying SSL/TLS protocol. The working exploit though is HTTPS specific.

The risk to enterprises is fairly low given that most vendors have patched their software, but enterprises need to ensure all vulnerable software is updated in a reasonable time frame to prevent their users from being exploited. Other mitigation steps include restricting JavaScript in Web browsers and using a VPN connection to a trusted network to protect against the man-in-the-middle aspect of the attack. The BEAST SSL tool does give attackers a new tool to attack SSL/TLS encryption, and so it is a viable SSL threat. Looking at the big picture though, even with this attack being patched, there are other attacks such as sslstrip, sslsniff and webmitm that can be used to attack SSL-encrypted connections, so users should remain cautious when using open wireless networks and be careful with SSL connections in general.

This was last published in May 2012

Dig Deeper on VPN security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.