Taming the BEAST

Bruce Morton

The BEAST’s reign of terror may soon be over. The more this topic is discussed, the less vulnerable we appear to be. Adrian Dimcev states in his blog, “Although the attack itself is pretty neat and the demo looks scary, its practicality is very low; the average user would probably not need to worry about.” Taher Elgamal, a creator of SSL, states that the BEAST attack is “technically clever,” but “very over-sold.”

Other industry experts, such as Ivan Ristić of SSL Labs and Steve Dispensa of PhoneFactor, offer their BEAST risk-mitigating strategies in their blogs, which mainly involves the prioritization of RC4 cipher suites. PhoneFactor provides a whitepaper detailing the approach and Microsoft has similar advice regarding RC4 on their post about Security Advisory 2588513.

The lesson of the BEAST is that implementers of SSL/TLS need to keep moving ahead and support the latest versions of the protocol to help mitigate the next BEAST. TLS 1.1 is more than five years old, not vulnerable to the BEAST attack, and yet is not ubiquitously supported by Web servers and browsers. If, as a result, TLS 1.1 and 1.2 achieve support in our SSL/TLS deployments, then the BEAST has served us well.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation