Facebook Requires SSL: Can the BEAST Overcome?
Facebook announced in May that down the road it will require SSL on Facebook apps. This Saturday that day will come. Yet, will the BEAST render such a move void?
|Facebook Requires SSL: Can the BEAST Overcome?|
Thai Duong and Juliano Rizzo will be demonstrating their Browser Exploit Against SSL/TLS (BEAST) attack at the Ekoparty security conference this week. The attack is able to decrypt SSL, the backbone of web security.
However, the attack may not be as big of a threat as it seems. The vulnerability it exploits has been known for years and only affects TLS 1.0. This vulnerability was fixed in SSL back in 2002. The problem is that TLS 1.0 is the current standard.
Though TLS 1.1 and 1.2 are available and fix this vulnerability no one is making the switch, yet. Network Security Services (NSS), the security libraries used by browsers like Firefox and Chrome, have yet to make the move which leaves them vulnerable.
For those who run web servers it is worth mentioning that Sophos suggests using the rc4-sha cipher since it is not vulnerable to this attack.
NSS plans to implement TLS 1.2 in version 3.13 which has no determined release date.