All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)September 22, 2011 19 Email article | Print article
Without going into too many technical details (because, well, I myself don’t understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST “cracks HTTPS” using a two step process. The first step involves sniffing network traffic to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.
At the moment BEAST is only a proof-of-concept and is set to be revealed on Friday (tomorrow) at a security conference in Buenos Aires; so don’t get your panties in a knot just yet. However, if it can be done by someone, it can probably be done by other, not-so-nice people, too. So you can become (a little) worried.
The key things to note here are BEAST works on SSL 3.0 and and TLS 1.0. The theory behind this sort of attack has been around since 1999 (for the SSL vulnerability) and 2009 (for the TLS vulnerability); and the vulnerability has actually already been patched in TLS 1.1. However, most “secure” websites are still using TLS 1.0 primarily because SSL does not support the fix, yet.
I feel this is the perfect time to say: What the ****? I suppose it is time to either use NoScript or move to Google Chrome. (Google released a developer edition of Chrome which supposedly makes Chrome immune to BEAST attacks.)