News

Researchers Claim Discovery of SSL Encryption Vulnerability

Attacks based on an implementation flaw of the Secure Sockets Layer (SSL) cryptographic protocol will be demonstrated on Friday by two security researchers.

Thai Duong and Juliano Rizzo plan to demonstrate their proof-of-concept code BEAST (Browser Exploit Against SSL/TLS) at this week's Ekoparty security conference in Argentina, which can lead to a hijacker taking control of a user's session from a specific Web site.

"We present a new fast block-wise chosen-plaintext attack against SSL/TLS," wrote Rizzo, in an announcement of the pair's upcoming demonstration. "We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing."

Rizzo said that if this vulnerability is perfected, an attacker could have the unwanted code installed and executed in as short as 10 minutes on an unsuspecting user's system.

What makes this vulnerability unique is that it allows an attacker to bypass Web certificates to initiate phishing, man-in-the-middle attacks or spoofed Web content -- an action that was widely thought to be unable to do.

"It is worth noting that the vulnerability that BEAST exploits has been presented since the very first version of SSL," said Duong, in an interview with security Web site ThreatPost. "Most people in the crypto and security community have concluded that it is non-exploitable, that's why it has been largely ignored for many years."

While newer versions (1.1 and 1.2) of the Transport Layer Security (TLS) cannot be taken advantage of from this exploit, most Web browsers, including Chrome and Firefox, still only support the older, vulnerable version 1.0.

For the team of Rizzo and Duong, this isn't their first high-profile security discovery -- the two were responsible for discovering a bug in the default encryption mechanism used to protect the cookies in ASP.NET last year, which led to an out-of-band patch.

 

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.