BEAST: Attacking SSL/TLS

Bruce Morton

In the wake of the DigiNotar comprise comes BEAST, the latest attack on the SSL/TLS protocol — specifically SSL 3.0 (1996) and TLS 1.0 (1999). The recent attacks on certification authorities (CA) such as Comodo, StartCom, DigiNotar and GlobalSign were attempts to get the CAs to issue fraudulent SSL certificates. BEAST is not used to attack CAs, nor does it attack SSL certificates. BEAST is used to attack vulnerability within the underlying TLS protocol.

Short for Browser Exploit Against SSL/TLS, BEAST performs what’s known as a chosen plaintext-recovery attack against AES encryption in SSL 3.0 and TLS 1.0. The technique exploits an encryption mode known as cipher block chaining (CBC), in which data from a previously encrypted block of data is used to encode the next block.

Theories of such an attack have been known for about a decade. The problem has been fixed in TLS 1.1 (2006) and a workaround is known for SSL 3.0 and TLS 1.0. The issue is that the workaround is not practical due to several buggy implementations of SSL/TLS. In addition, TLS 1.1 has not been implemented in most common SSL/TLS libraries.

The good news is that Juliano Rizzo and Thai Duong, BEAST researchers, have been working with browser developers on a fix since June. Mozilla bug 665814 has been the de facto discussion forum for those working on the fix. As such, the issue is widely known and strategies to mitigate such an attack will be implemented.

What actions can you take to tame the BEAST? Although I am not aware of any new software patches that specifically address BEAST, the usual recommendations apply — make sure your browsers are up to date and your Web servers are using the latest software. Also, configure your Web servers to prefer RC4, which is a cipher that does not involve CBC.

Update – Wednesday, October 12th, 2011
In this interview with Taher Elgamal, one of the creators of SSL, he points out that the BEAST relies on the attacker putting malware on the user’s machine. Elgamal states, “Honestly, if I can put malware on your machine, I’m not going to be bothering with your SSL because I can see all the data before it gets encrypted.” The conclusion is that enterprises and end-users should ensure that they are running anti-malware software and are keeping their operating system updated.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation