- dotTech - http://dottech.org -

All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)

A pair of security researchers claim to have written a JavaScript tool, named Browser Exploit Against SSL/TLS or BEAST, that allows them to access the information being passed behind SSL/TLS encryption. Yeah, you read that properly. These two geeks claim they have the ability to crack HTTPS.

Without going into too many technical details (because, well, I myself don’t understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST “cracks HTTPS” using a two step process. The first step involves sniffing network traffic to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.

BEAST uses JavaScript to do all its evil stuffs, so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code. Original estimates said it takes about a half-hour to break content encrypted with 1,000 character long keys, but some refinement of the code by the researchers have that time estimate down to ten minutes. Ten freaking minutes.

At the moment BEAST is only a proof-of-concept and is set to be revealed on Friday (tomorrow) at a security conference in Buenos Aires; so don’t get your panties in a knot just yet. However, if it can be done by someone, it can probably be done by other, not-so-nice people, too. So you can become (a little) worried.

The key things to note here are BEAST works on SSL 3.0 and and TLS 1.0. The theory behind this sort of attack has been around since 1999 (for the SSL vulnerability) and 2009 (for the TLS vulnerability); and the vulnerability has actually already been patched in TLS 1.1. However, most “secure” websites are still using TLS 1.0 primarily because SSL does not support the fix, yet.

I feel this is the perfect time to say: What the ****? I suppose it is time to either use NoScript or move to Google Chrome. (Google released a developer edition of Chrome which supposedly makes Chrome immune to BEAST attacks.)

Sources: ArsTechnica [1], The Register [2]