Security and The BEAST

The news of supposedly trusted certificate authorities DigiNotar (now bankrupt) and Comodo being penetrated by hackers was a severe blow to the long established SSL/TLS chain of trust security model.

Now there’s another serious web security vulnerability to be concerned about.

Security researchers Juliano Rizzo and Thai Duong have exploited a weakness in CBC (Cipher Block Chaining) based ciphersuites which they have used to create a proof of concept attack on SSL.

Their exploit is called BEAST (Browser Exploit Against SSL/TLS) and it demonstrates how to steal a web browser session cookie that is supposed to be protected by SSL. The implications of this are that your supposedly secure (i.e. HTTPS) web browser sessions can be hijacked by a third party.

How can we protect against this? Well since BEAST exploits CBC then web server administrators need to use a different cipher.

Google have switched to using the RC4 cipher on their web sites and Microsoft has issued an advisory recommending that you “prioritize the RC4 algorithm in server software in order to facilitate secure communication using RC4 instead of CBC“.