Topics:
HTTPS vulnerable to man-in-the-middle attacks
The secure sockets layer (SSL) and the most widely-used versions of the transport layer security (TLS) encryption protocols are vulnerable to a flaw previously thought to be unexploitable.
So say security researchers Juliano Rizzo and Thai Duong, who devised an attack described as "fast block-wise chosen-plaintext against SSL/TLS." As reported by InformationWeek, the duo plans to detail their findings at the ekoparty Security Conference in Argentina Sept. 23, and have also built a tool that's capable of stealing and decrypting authentication tokens and cookies transmitted within HTTPS requests.
Called BEAST, or "Browser Exploit Against SSL/TLS," the tool was designed to be used against a victim from a network in which the attacker has a man-in-the-middle position. The exploit works against SSL or TLS 1.0, though newer protocols such as TLS 1.1 and TLS 1.2 are immune. Unfortunately, popular web browsers such as Google Chrome and Mozilla Firefox still implement TLS 1.0.
And while Microsoft's Internet Explorer gets TLS support from the Windows operating system, which supports TLS 1.1 and newer, the newer version is not enabled by default.
For now, only the Opera browser is not vulnerable by default, though it is immune only when communicating with web servers with TLS 1.1 or TLS 1.2 enabled. Unfortunately, the sites that support the newer TLS implementations stand at a dismal 0.25 percent and 0.02 percent of servers respectively, says CNET.
To be clear, achieving a position where a man-in-the-middle attack can be mounted is hardly a trivial affair. There is little doubt in my mind however that such a vulnerability is a clear and present danger to transactions conducted over SSL.
Moreover, the researchers have also claimed that similar attacks could be implemented against services that use SSL, such as IM clients or VPNs, which makes it crucial that the transition to a more secure protocol begin as soon as possible.
For more:
- check out this article at InformationWeek
- check out this article at threatpost
- check out this article at Redmond
- check out this article at CNET News
Related Articles:
Report: Improper SSL implementations are widespread
Software for fast, low-cost SSL proxy servers under development
Google, Mozilla, Microsoft blacklist DigiNotar, but Apple remains silent
Comments