Researchers have found a way to exploit a long-known flaw in TLS (Transport Layer Security) that could undermine the security credentials of the SSL cryptographic protocol and affect millions of sites.
The attack methodology, due to be presented by Juliano Rizzo and Thai Duong at the Ekoparty conference this week, targets TLS version 1.0 and SSL 3.0.
As millions use those protocols to protect certain web transactions, millions of sites could be affected. Major companies, including PayPal and Google, use TLS version 1.0.
Fixing the vulnerability that BEAST exploits may require a major change to the protocol itself.
Rizzo and Duong have created a tool called BEAST (Browser Exploit Against SSL/TLS) to attack the AES encryption algorithm used in TLS and SSL.
BEAST is able to grab and decrypt HTTPS cookies once installed on an end user's browser. This can be achieved either through an iframe injection or by loading the BEAST JavaScript into the target's browser, according to Kaspersky Lab's Threatpost.
This means the attackers can hijack users' sessions and get all the information they want.
"While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests," Duong said.
"While fixing the authenticity vulnerabilities may require a new trust model, fixing the vulnerability that BEAST exploits may require a major change to the protocol itself. Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications."
Google has reportedly prepared an update for its Chrome browser already to help counter the BEAST.
Carrying out the attack is not so simple, however. The hacker has to become the man-in-the-middle' to start with.
"It doesn't mean that anyone can intercept your network traffic and obtain the real data behind it," said Panda Security's Luis Corrons.
"To be able to do that, first they need to gain access to your browser to inject some JavaScript that will do the work. And of course, if you already have gained access to the computer you can do that or install any kind of Trojan horse."
Corrons suggested attackers could also set up a Wi-Fi hotspot to snare users.
"You can create the typical Wi-Fi hotspot, so when anyone connects to it they'll get redirected to the usual welcome page that says thanks for using this service, keep this page open so you can use it for free, click here to start browsing and that's it," he told IT Pro.
Other security professionals have shown their concern about BEAST and its implications for millions of websites.
Philip Hoyer, director of strategy solutions at ActivIdentity, called into question the use of SSL.
"To spell it out: transaction confidentiality based on the SSL TLS V1.0 protocol (the most used still today) is dead," Hoyer said.
"The only true defense from fraudulent transactions is to sign the transaction or part of the transaction data so that the attacker cannot inject bogus material. This means effectively using a token with a pin pad (software on phone or dedicated hardware token) to enter transaction details or signing the transaction using a public key infrastructure certification."
The development comes after fears over hacker exploitation of SSL following hacks on certficate authorities (CAs).
Over 500 fake certificates were issued following a hack on CA DigiNotar, meaning anyone with those fake certificates could dupe end users into believing their internet transactions were being protected by SSL.
DigiNotar was declared bankrupt earlier this week.
-
Meta just revived plans to train AI models using European user dataNews Meta has confirmed plans to train AI models using European users’ public content and conversations with its Meta AI chatbot.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Leaked Nvidia certificates used to sign malware bypassing Windows detectionNews Windows admins are advised to implement custom policies to avoid seemingly legitimate malware making its way into corporate environments
-
GoDaddy data breach exposes over 1.2 million customer detailsNews Attacker had access to admin passwords for over two months
-
Why is SSL under attack?In-depth Don't get sidetracked by a storm in the SSL teacup, warns Davey Winder...
-
Facebook warns of new Superfish threatNews The fake security certificate used by the Lenovo-installed adware can be re-used by hackers, says social network
-
OS X Mavericks update to fix major security flaw in MacsNews Apple follows iOS 7 update with Mac OS X Mavericks patch to address encryption issues.
-
Who to trust after the VeriSign hack?In-depth Davey Winder questions what data was stolen from VeriSign and wonders why the company hasn't been more forthcoming.
-
MI6 targeted in DigiNotar hackNews MI6, the CIA and Facebook were all targeted following a hack on certificate authority DigiNotar.
-
Major SSL encryption flaw hits the web
News Tech companies using SSL have some serious work to do to fix a big hole that could leave internet users at risk.
