Facebook Requires SSL: Can the BEAST Overcome?
Facebook announced in May that down the road it will require SSL on Facebook apps. This Saturday that day will come. Yet, will the BEAST render such a move void?
 |
| Facebook Requires SSL: Can the BEAST Overcome? |
 |
Thai Duong and Juliano Rizzo will be demonstrating their Browser Exploit Against SSL/TLS (BEAST) attack at the Ekoparty security conference this week. The attack is able to decrypt SSL, the backbone of web security.
However, the attack may not be as big of a threat as it seems. The vulnerability it exploits has been known for years and only affects TLS 1.0. This vulnerability was fixed in SSL back in 2002. The problem is that TLS 1.0 is the current standard.
Though TLS 1.1 and 1.2 are available and fix this vulnerability no one is making the switch, yet. Network Security Services (NSS), the security libraries used by browsers like Firefox and Chrome, have yet to make the move which leaves them vulnerable.
The Register explains the attack saying that a “piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.” Essentially, it injects data from the browser that the attacker knows and is able to reverse engineer the encryption key by watching the browser’s output. The Tor Project has an article that explains how the BEAST works in more detail, and also references another article that is much more technical.
For those who run web servers it is worth mentioning that Sophos suggests using the rc4-sha cipher since it is not vulnerable to this attack.
NSS plans to implement TLS 1.2 in version 3.13 which has no determined release date.
