SSL: Threatened by a BEAST of Prey

SSL isn't hopelessly broken, but the widespread use of TLS 1.0 means that SSL cannot be regarded as fully "secure"

SSL isn’t hopelessly broken, but the widespread use of TLS 1.0 means that SSL cannot be regarded as fully “secure”

When Róbert Lipovský and I commented on the DigiNotar/SSL situation, we said that " the user should be cautious (as always), but there's no cause for panic." While I still think that's fair comment, there's no doubt that things aren't looking any better.

Right now, much media attention is starting to be focused on DigiNotar's filing for bankruptcy, and to a lesser extent the Microsoft re-release of the KB2616676 update Microsoft Knowledge Base Article 2616676. This cumulative re-release addresses a known issue: supported editions of Windows XP and Windows Server 2003 didn't contain the digital certificates included in the KB2607712 and KB2524375 updates. (Supported Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 editions aren't affected.)

That's important stuff (though for most of us the Microsoft update will be of the more immediate importance), but I'm surprised the SSL issue flagged by Dan Goodin in The Register hasn't received more attention. As we commented previously, the issues up to now have been primarily about trust issues with certificate authorities, like DigiNotar and GlobalSign, rather than about the underlying protocols. The BEAST (Browser Exploit Against SSL/TLS) code planned for demonstration at the Ekoparty conference is something different: it appears to be a direct attack on the confidentiality of the TLS protocol by decrypting HTTPS requests. And if it's as effective as suggested, it means that  the many, many SSL connections that rely on version 1.0 of TLS are potentially vulnerable to a plaintext recovery attack. That doesn't mean that SSL is hopelessly broken, but the widespread use of TLS 1.0 means that SSL cannot be regarded as fully "secure", while Duong and Rizzo , the  researchers behind BEAST, suggest that there is no easy global fix, since so many sites and browsers support only SSL 3.0 and TLS 1.0.

Duong claims that "If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa." And that threatens the bottom line of many big web-focused companies and organizations if or when it translates to a real-world exploit.

ESET Senior Research Fellow

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center