News

Researchers Claim Discovery of SSL Encryption Vulnerability

Attacks based on an implementation flaw of the Secure Sockets Layer (SSL) cryptographic protocol will be demonstrated on Friday by two security researchers.

Thai Duong and Juliano Rizzo plan to demonstrate their proof-of-concept code BEAST (Browser Exploit Against SSL/TLS) at this week's Ekoparty security conference in Argentina, which can lead to a hijacker taking control of a user's session from a specific Web site.

"We present a new fast block-wise chosen-plaintext attack against SSL/TLS," wrote Rizzo, in an announcement of the pair's upcoming demonstration. "We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing."

Rizzo said that if this vulnerability is perfected, an attacker could have the unwanted code installed and executed in as short as 10 minutes on an unsuspecting user's system.

What makes this vulnerability unique is that it allows an attacker to bypass Web certificates to initiate phishing, man-in-the-middle attacks or spoofed Web content -- an action that was widely thought to be unable to do.

"It is worth noting that the vulnerability that BEAST exploits has been presented since the very first version of SSL," said Duong, in an interview with security Web site ThreatPost. "Most people in the crypto and security community have concluded that it is non-exploitable, that's why it has been largely ignored for many years."

While newer versions (1.1 and 1.2) of the Transport Layer Security (TLS) cannot be taken advantage of from this exploit, most Web browsers, including Chrome and Firefox, still only support the older, vulnerable version 1.0.

For the team of Rizzo and Duong, this isn't their first high-profile security discovery -- the two were responsible for discovering a bug in the default encryption mechanism used to protect the cookies in ASP.NET last year, which led to an out-of-band patch.

 

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Previews Windows Autopilot for HoloLens 2

    Microsoft on Friday announced a public preview of Windows Autopilot for HoloLens 2, its mixed-reality headset.

  • Microsoft Flirts with Charging for API Software Connections

    Microsoft may have started something new by attempting to charge its customers for software that uses its application programming interfaces (APIs).

  • Overcoming Spacesuit Anxiety During Astronaut Training

    Spacesuits are heavy, claustrophobic and hot -- an uncomfortable combination for many would-be astronauts. Here's how Brien came around to the idea of wearing one.

  • Microsoft Announces Azure Kubernetes Service Enhancements

    Microsoft this week announced a few Azure Kubernetes Service (AKS) product milestones as part of the KubeCon event.

comments powered by Disqus