All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)

A pair of security researchers claim to have written a JavaScript tool, named Browser Exploit Against SSL/TLS or BEAST, that allows them to access the information being passed behind SSL/TLS encryption. Yeah, you read that properly. These two geeks claim they have the ability to crack HTTPS.

Without going into too many technical details (because, well, I myself don’t understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST “cracks HTTPS” using a two step process. The first step involves sniffing network traffic to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.

BEAST uses JavaScript to do all its evil stuffs, so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code. Original estimates said it takes about a half-hour to break content encrypted with 1,000 character long keys, but some refinement of the code by the researchers have that time estimate down to ten minutes. Ten freaking minutes.

At the moment BEAST is only a proof-of-concept and is set to be revealed on Friday (tomorrow) at a security conference in Buenos Aires; so don’t get your panties in a knot just yet. However, if it can be done by someone, it can probably be done by other, not-so-nice people, too. So you can become (a little) worried.

The key things to note here are BEAST works on SSL 3.0 and and TLS 1.0. The theory behind this sort of attack has been around since 1999 (for the SSL vulnerability) and 2009 (for the TLS vulnerability); and the vulnerability has actually already been patched in TLS 1.1. However, most “secure” websites are still using TLS 1.0 primarily because SSL does not support the fix, yet.

I feel this is the perfect time to say: What the ****? I suppose it is time to either use NoScript or move to Google Chrome. (Google released a developer edition of Chrome which supposedly makes Chrome immune to BEAST attacks.)

Sources: ArsTechnica, The Register

Share this post

  • SomeDude

    This isn’t a new problem, and it needs mitm, and if an attacker has that, there are much easier attacks on SSL http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

  • Rob (Down Under)

    I have learned to live with NoScript’s inconveniences.
    What would make it better would be –
    – Keyboard shortcuts for ‘Allowing’
    – And another option called ‘Allow All REALLY’

    The latter is needed for those sites where you allow all, and the page reloads, and you have to do it again, a few times.

  • Ashraf

    @Rob (Down Under): Meh. I don’t. Not yet anyway. Too lazy to have to deal with all the issues of webpages not showing up properly.

    @Jimmy: You are welcome! Your patience of using NoScript + Sandboxie surpasses mine. xD

    @Darcy: You are welcome! Let us know how NoScript goes.

    @Helen Wells: No. I mean yes. Wait no. Ah hell just Google “All your base are belong to us” — the title is an unrelated reference to that.

    @GullyFoyle: I have heard good things about Iron but never really tried it myself. I refuse to use a browser unless I know it is coming from a trust company because, well, if your browser is malicious you might as well file for bankruptcy now.

  • GullyFoyle

    I try Chrome periodically but have gone back to Firefox (3.6.22) because Chrome is still too unstable and crashes a lot. I also want to avoid Google tracking, so for improved security I am investigating Iron, a privacy and security enhanced browser based on the Chromium source code. See
    General intro —
    https://www.srware.net/en/software_srware_iron.php
    Comparison with Chrome —
    https://www.srware.net/en/software_srware_iron_chrome_vs_iron.php and
    https://www.srware.net/en/software_srware_iron_faq.php
    Download —
    https://www.srware.net/en/software_srware_iron_download.php

  • jayesstee

    @ Asraf, Rob (Down Under):
    I use FF + NoScript, but I find that I am invariably “temporarily allowing” Some.ware.com and often “temporarily allowing” “this page”.
    The NoScript endorsed CNET video (http://www.youtube.com/watch?v=GzBqnLgOzwM) discourages this, but without it, it becomes almost impossible to interact with the internet.
    So what’s the answer? Pretend it ain’t happening or fight back? So how are we going to fight back?
    We can’t let these mutants take over OUR (everybody’s) inter net!

  • Helen Wells

    “All your information are belong to them:” Do I detect bad English in the title of this article?

  • http://gravatar.com/khalagata Darcy

    Isn’t that just peachy, thanks for the heads up. I hate the way Google has started force installing Chrome on me whenever I try to update Adobe and I force un-install it every time. Looks like NoScript is the winner for me, though it’s always caused problems with some of my sites I’ll just have to deal with it.

  • Jimmy

    Thank you Ashraf for the heads up…..I have been using NoScript for the past two years and its helps me allot. On sites I do not know well I still use sandboxie.

  • Rob (Down Under)

    Surely everyone who uses FF, uses NoScript
    (I know you told me not to call you ‘Surely’)

  • Ashraf

    @Hamza: As I mentioned in the post, I don’t totally understand how this exploit operates. So I have a few questions myself. I am just reporting it as I hear it. Hopefully we will find out more tomorrow when the researchers present it at the security conference.

  • http://userscripts.org/users/356356 Hamza

    ‘so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code.’
    Due to Same-Origin policy of all browsers, JavaScript can’t connect to any server other than the server where the page was downloaded from and only with the same port , for example if you are visiting a page from https://example.com, the script that run in this page can’t connect to http://example.net nor to https://example.net, and even not to http://example.com.

  • Ashraf
  • Jyo

    @Ashraf: Oh, I meant where did Google actually claim this? (it’s a pretty big statement)

  • Torymon

    Still, this is good to know! Thanks Ashraf!

  • Ashraf

    @Jyo: Its the latest developer edition, i.e. from the dev channel. I am not a big Chrome user so I really don’t know how to subscribe to the dev updates.

    @Philippe: While I can’t commit on how secure or unsecure Chrome is, typically the normal/stable version is best for most users because it is bug free.

    @Elliot: Addons have kept me to Firefox. But I am thinking about changing ’cause FF crashes a lot on me now.

    @nz: One of the best advice I have been given in my life is “criticism will only make you stronger”. Unfortunately, in this case the advice does not apply, because if you read the whole article you would read where I wrote …and the vulnerability has actually already been patched in TLS 1.1. :-)

  • nz

    This article is poorly written. If properly researched this then you would know that TLS 1.0 is flawed but TLS 1.1 and TLS 1.2 aren’t susceptible. The issue is that no browser currently those transport layers. This exploit will accelerate the development cycle.

    The build for the hardened chrome is here
    http://googlechromereleases.blogspot.com/2011/09/dev-channel-update_20.html

  • Elliot

    I always use Google Chrome. Fastest speed, good interface, synced browser stuff. Its the only way to browse the internet.

  • Philippe

    Scary, beside the bad economy, and bank fees I may lose more money through pirate attacks. Is it the new way banks are trying to make profit?

    How secure is Chrome? and which edition for the regular user is good?

    Thanks for the info.

  • Jyo

    “(Google released a developer edition of Chrome which supposedly makes Chrome immune to BEAST attacks.)”

    Where?