The BEAST SSL Attack and the postponed Digital Apocalypse
When it comes to security flaws of SSL/TLS (either in theory or in implementation), then a lot of people get very nervous. The past days have been full of media coverage of the BEAST SSL Attack. Since Juliano Rizzo and Thai Duong have published their results the level of speculation has dropped. Let’s replace panic by analysis of facts.
Starting with the name of the BEAST, Browser Exploit Against SSL/TLS Tool, it is clear that a browser and a web site is involved. If you take a look at the description of the attack, you can infer that the impact doesn’t affect all SSL/TLS deployments. The following text is taken from Bruce Schneier’s blog entry on BEAST.
The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target’s browser into the encrypted request stream to determine the shared key. The code can be injected into the user’s browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage.
Actually this doesn’t reduce the scope for Web interactions since a lot of web sites use either active or passive content from third-party sources. Injecting ads is a classical attack vector. However it gives you some hints for your defence. Reducing the third-party content is an option here. This is very easy for internal applications and very hard for your typical Web 2.0 mashup. The vast amount of known plain-text data in web applications facilitates the attack (as pointed out in 1999 by Bruce Schneier and David Wagner).
But BEAST is slow. To quote from the same article as above: „BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long.“ So not every SSL/TLS transmission is automatically vulnerable.
If you want to understand what the attack is based on, we recommend the articles Chrome and the BEAST and Tor and the BEAST SSL Attack. The latter article contains useful information for TOR network users. There is also an article in the ISC Diary about the various levels of TLS supported in web browsers. The most important aspect of Rizzo’s and Duong’s work is the practical implementation of a theoretical flaw. This is why re-evaluating your security measures is highly important. Cryptographic tools in particular need a period review because algorithms are constantly tested and some might break sooner or later. You should be aware that the combination of key lengths, algorithms and block cipher modes is never for all eternity. Make sure that you follow the efforts of security researchers to get warnings and recommendations before your cryptographic backbone breaks.