All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)

A pair of security researchers claim to have written a JavaScript tool, named Browser Exploit Against SSL/TLS or BEAST, that allows them to access the information being passed behind SSL/TLS encryption. Yeah, you read that properly. These two geeks claim they have the ability to crack HTTPS.

Without going into too many technical details (because, well, I myself don’t understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST “cracks HTTPS” using a two step process. The first step involves sniffing network traffic to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.

BEAST uses JavaScript to do all its evil stuffs, so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code. Original estimates said it takes about a half-hour to break content encrypted with 1,000 character long keys, but some refinement of the code by the researchers have that time estimate down to ten minutes. Ten freaking minutes.

At the moment BEAST is only a proof-of-concept and is set to be revealed on Friday (tomorrow) at a security conference in Buenos Aires; so don’t get your panties in a knot just yet. However, if it can be done by someone, it can probably be done by other, not-so-nice people, too. So you can become (a little) worried.

The key things to note here are BEAST works on SSL 3.0 and and TLS 1.0. The theory behind this sort of attack has been around since 1999 (for the SSL vulnerability) and 2009 (for the TLS vulnerability); and the vulnerability has actually already been patched in TLS 1.1. However, most “secure” websites are still using TLS 1.0 primarily because SSL does not support the fix, yet.

I feel this is the perfect time to say: What the ****? I suppose it is time to either use NoScript or move to Google Chrome. (Google released a developer edition of Chrome which supposedly makes Chrome immune to BEAST attacks.)

Sources: ArsTechnica, The Register

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

19 comments

  1. Rob (Down Under)

    I have learned to live with NoScript’s inconveniences.
    What would make it better would be -
    - Keyboard shortcuts for ‘Allowing’
    - And another option called ‘Allow All REALLY’

    The latter is needed for those sites where you allow all, and the page reloads, and you have to do it again, a few times.

  2. Ashraf
    Author/Mr. Boss

    @Rob (Down Under): Meh. I don’t. Not yet anyway. Too lazy to have to deal with all the issues of webpages not showing up properly.

    @Jimmy: You are welcome! Your patience of using NoScript + Sandboxie surpasses mine. xD

    @Darcy: You are welcome! Let us know how NoScript goes.

    @Helen Wells: No. I mean yes. Wait no. Ah hell just Google “All your base are belong to us” — the title is an unrelated reference to that.

    @GullyFoyle: I have heard good things about Iron but never really tried it myself. I refuse to use a browser unless I know it is coming from a trust company because, well, if your browser is malicious you might as well file for bankruptcy now.

  3. GullyFoyle

    I try Chrome periodically but have gone back to Firefox (3.6.22) because Chrome is still too unstable and crashes a lot. I also want to avoid Google tracking, so for improved security I am investigating Iron, a privacy and security enhanced browser based on the Chromium source code. See
    General intro —
    https://www.srware.net/en/software_srware_iron.php
    Comparison with Chrome —
    https://www.srware.net/en/software_srware_iron_chrome_vs_iron.php and
    https://www.srware.net/en/software_srware_iron_faq.php
    Download –
    https://www.srware.net/en/software_srware_iron_download.php

  4. jayesstee

    @ Asraf, Rob (Down Under):
    I use FF + NoScript, but I find that I am invariably “temporarily allowing” Some.ware.com and often “temporarily allowing” “this page”.
    The NoScript endorsed CNET video (http://www.youtube.com/watch?v=GzBqnLgOzwM) discourages this, but without it, it becomes almost impossible to interact with the internet.
    So what’s the answer? Pretend it ain’t happening or fight back? So how are we going to fight back?
    We can’t let these mutants take over OUR (everybody’s) inter net!

  5. Darcy

    Isn’t that just peachy, thanks for the heads up. I hate the way Google has started force installing Chrome on me whenever I try to update Adobe and I force un-install it every time. Looks like NoScript is the winner for me, though it’s always caused problems with some of my sites I’ll just have to deal with it.

  6. Ashraf
    Author/Mr. Boss

    @Hamza: As I mentioned in the post, I don’t totally understand how this exploit operates. So I have a few questions myself. I am just reporting it as I hear it. Hopefully we will find out more tomorrow when the researchers present it at the security conference.

  7. Hamza

    ‘so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code.’
    Due to Same-Origin policy of all browsers, JavaScript can’t connect to any server other than the server where the page was downloaded from and only with the same port , for example if you are visiting a page from https://example.com, the script that run in this page can’t connect to http://example.net nor to https://example.net, and even not to http://example.com.

  8. Ashraf
    Author/Mr. Boss

    @Jyo: Its the latest developer edition, i.e. from the dev channel. I am not a big Chrome user so I really don’t know how to subscribe to the dev updates.

    @Philippe: While I can’t commit on how secure or unsecure Chrome is, typically the normal/stable version is best for most users because it is bug free.

    @Elliot: Addons have kept me to Firefox. But I am thinking about changing ’cause FF crashes a lot on me now.

    @nz: One of the best advice I have been given in my life is “criticism will only make you stronger”. Unfortunately, in this case the advice does not apply, because if you read the whole article you would read where I wrote …and the vulnerability has actually already been patched in TLS 1.1. :-)

  9. Philippe

    Scary, beside the bad economy, and bank fees I may lose more money through pirate attacks. Is it the new way banks are trying to make profit?

    How secure is Chrome? and which edition for the regular user is good?

    Thanks for the info.