Proactive IT Security
 

BEAST (Browser Exploit Against SSL/TLS)

2011-10-04 [Exploit analysis, Malware discussion, Trends & predictions]

Introduction

There has been quite a lot of discussion about BEAST recently. BEAST is an abbreviation for Browser Exploit Against SSL/TLS, and is a type of attack, which is challenging for the involved vendors to defend against.

SSL/TLS is used to perform secure communication between a browser and a server, for example to perform bank payments and credit card transactions. It is widely used all over the Internet.

Background

The BEAST attack was publicly demonstrated by Juliano Rizzo and Thai Duong at the ecoparty security conference 23 September, and a film and blog item describing the attack were published  25 September. Months before, however, browser vendors were informed about the vulnerability and the fact that a workable exploit would be published.

The issue is a Man-in-the-Middle attack, which enables stealing information from communication protected by SSL/TLS (version 1.0). 

A successful attack is not particularly easy to carry out, as it depends on several prerequisites. The threat for most browser users is therefore not big. For more detailed discussion we refer to the links at the end of this article.

One interesting point that should be mentioned, is that the BEAST issue is not a vulnerability in the browser vendors' implementation of the secure communications protocols. It is a vulnerability in the protocols itself.

Interestingly, newer versions of the TLS protocol are not vulnerable to BEAST.

We refer to the links at the end of this article for more technical details about how BEAST functions.

Protection plans

As mentioned above, newer versions of the TLS protocol exists - versions that do not have the BEAST vulnerability.

The problem however, is that even though the browser vendors could update the different browsers to support by default a more secure TLS version, this would only be marginally helpful. The reason why is that the overwhelming part of the corresponding web servers that communicate with the browsers, have not set up TLS 1.1 or later. Successful transaction of information between the browser and the server require that they run the same protocol.

We will presumably see different - and parallel - techniques in providing protection against the BEAST issue:

  • Vendors of server software will  - if needed - update their server program to support versions of TLS, which are not vulnerable.
  • Organizations running web servers that offer SSL/TLS communication will in days, weeks and months (even years?) implement versions of TLS, which are not vulnerable. 
  • Vendors of web browsers will - if needed - update their programs to support versions of TLS, which are not vulnerable.
  • Browser vendors will also come up with special protection techniques against the BEAST attacks in the different browsers.

End users are also able to mitigate the risks for being victims of BEAST attacks. One simple action is that whenever you access a secure web site for perfoming sensitve tasks, you should close all browser windows and perform your job in a freshly started browser. When the task is finished, you should close this browser before you restart the browser to perform other tasks.

More information