Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft and Google have moved to secure users against the SSL Beast attack.The attack made shock waves last week after researchers Thai Duong and Juliano Rizzo demonstrated they could tamper with cipher block chaining (CBC) used in SSL encryption.It went further than a similar attack demonstrated in 2001 by Bodo Moeller which found guesses can be made against CBC to determine the contents of plaintext blocks. The researchers showed the Beast (Browser Exploit Against SSL/TLS) attack could de-construct a PayPal cookie passing over SSL between the webserver and user, and was able to compromise restricted user accounts.But security researchers said it was unlikely to be widely exploited. It required a target's network to be already compromised, and had relied on a Java plugin applet to mitigate the same-origin policy (SOP), a feature that prevents modification to web site data from external domains.
The Java applet would be blocked by default in Google's Chrome browser.
Yet the researchers said the Java applet was only one method of bypassing SOP. Security expert Moxie Marlinspike went further, and said the Beast attack was more akin to a SOP-bug.
The attack only affects SSL 3.0 version 1 and earlier of the proceeding protocol Transport Layer Security (TLS).
But later versions of TLS could be affected because SSL 3.0 was still required to be supported by browsers, more than a decade after the introduction of TLS.
That meant the attack could be launched against TLS version 1.1 by triggering SSL 3.0 downgrade.
All cipher suites that use symmetric encryption algorithms in CBC including to popular AES were vulnerable to the attacks.It does not affect the RC4 stream cipher.
Microsoft had called for users to activate TLS 1.1 in browsers and for RC4 deployments to be priortised."You can prioritise the RC4 algorithm in server software in order to facilitate secure communication using RC4 instead of CBC.," Microsoft said in an advisory."The client or server with which you are communicating must support the RC4 algorithm. If support for RC4 is not available, a different cipher suite will be used if one is available, and this workaround will be ineffective."Mozilla published correspondence dating back to June between Duong as its researchers who discussed various methods to mitigate the attack.Google was preparing a fix similar to a previous update introduced and then abandoned in 2002 to safeguard SSL against the attacks.
It would inject random plantext fragments into the CBC to confuse the Beast attack and was compatible with TLS 1.0.
The previous fix caused compatibility problems.
Researcher Adam Langley said the company's servers were largely unaffected because they preferred the RC4 cipher.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.