SSL under threat as flaw exploited

Fears over the security credentials of SSL rise after researchers claim to have found a way to exploit a long-known vulnerability.


Researchers have found a way to exploit a long-known flaw in TLS (Transport Layer Security) that could undermine the security credentials of the SSL cryptographic protocol and affect millions of sites.

The attack methodology, due to be presented by Juliano Rizzo and Thai Duong at the Ekoparty conference this week, targets TLS version 1.0 and SSL 3.0.

Advertisement - Article continues below

As millions use those protocols to protect certain web transactions, millions of sites could be affected. Major companies, including PayPal and Google, use TLS version 1.0.

Fixing the vulnerability that BEAST exploits may require a major change to the protocol itself.

Rizzo and Duong have created a tool called BEAST (Browser Exploit Against SSL/TLS) to attack the AES encryption algorithm used in TLS and SSL.

BEAST is able to grab and decrypt HTTPS cookies once installed on an end user's browser. This can be achieved either through an iframe injection or by loading the BEAST JavaScript into the target's browser, according to Kaspersky Lab's Threatpost.

This means the attackers can hijack users' sessions and get all the information they want.

"While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests," Duong said.

Advertisement - Article continues below
Advertisement - Article continues below

"While fixing the authenticity vulnerabilities may require a new trust model, fixing the vulnerability that BEAST exploits may require a major change to the protocol itself. Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications."

Google has reportedly prepared an update for its Chrome browser already to help counter the BEAST.

Carrying out the attack is not so simple, however. The hacker has to become the man-in-the-middle' to start with.

"It doesn't mean that anyone can intercept your network traffic and obtain the real data behind it," said Panda Security's Luis Corrons.

"To be able to do that, first they need to gain access to your browser to inject some JavaScript that will do the work. And of course, if you already have gained access to the computer you can do that or install any kind of Trojan horse."

Advertisement - Article continues below

Corrons suggested attackers could also set up a Wi-Fi hotspot to snare users.

"You can create the typical Wi-Fi hotspot, so when anyone connects to it they'll get redirected to the usual welcome page that says thanks for using this service, keep this page open so you can use it for free, click here to start browsing and that's it," he told IT Pro.

Other security professionals have shown their concern about BEAST and its implications for millions of websites.

Philip Hoyer, director of strategy solutions at ActivIdentity, called into question the use of SSL.

"To spell it out: transaction confidentiality based on the SSL TLS V1.0 protocol (the most used still today) is dead," Hoyer said.

"The only true defense from fraudulent transactions is to sign the transaction or part of the transaction data so that the attacker cannot inject bogus material. This means effectively using a token with a pin pad (software on phone or dedicated hardware token) to enter transaction details or signing the transaction using a public key infrastructure certification."

Advertisement - Article continues below

The development comes after fears over hacker exploitation of SSL following hacks on certficate authorities (CAs).

Over 500 fake certificates were issued following a hack on CA DigiNotar, meaning anyone with those fake certificates could dupe end users into believing their internet transactions were being protected by SSL.

DigiNotar was declared bankrupt earlier this week.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020