Follow us on RSS or Twitter for the latest updates.

September 20, 2011

Hackers break SSL encryption used by millions of sites


web-browsers
Researchers discovered that the encryption that's supposed to protect us while surfing the web is totally exploitable by hackers with the necessary know-how.

Thai Duong and Juliano Rizzo plan to demonstrate a proof-of-concept code which will prove that SSL protocols are not as secure as everyone thought them to be.

The researchers claim that their Browser Exploit Against SSL/TLS code, or BEAST, will prove to the world that any cryptographic protocol before TLS 1.1 is vulnerable and can be deciphered fairly easily.

They will attempt to decode an authentication cookie used to log-in to a PayPal account, fact which will diminish the world's faith in one of the foundation blocks of internet security.

Even though later protocols, such as the TLS 1.1 and 1.2 don't present the same weakness, these versions are yet to be implemented into websites and browser applications, which means that most popular websites are unprotected.

The algorithm was laid down in the form of a JavaScript that intercepts encrypted cookies transferred by websites during the authentication process.

“BEAST is different than most published attacks against HTTPS,” stated Duong.

“While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

What up until now has been considered to be more of a theoretical weakness has now become something real that puts us all in peril. BEAST is supposed to decrypt the authentication cookie used to access a PayPal account in 10 minutes, which is far less than anyone would expect.

So why don't website and browser developers do something about it, especially since TLS 1.1 is available since 2006?

In order to efficiently update all the security protocols, the process would have to be done by all the major players at once, otherwise, whenever a fix is attempted, incompatibilities will prevent applications that rely on the old system to work.

Out of all the browsers currently available, only Opera implements TLS 1.2 by default, while in Internet Explorer the technology is there, but lies dormant, waiting to be manually activated.

Google Chrome and Mozilla Firefox seem to be the last in this race as they seem to be waiting for each other to start the implementation.