A pair of researchers plan to detail an attack called BEAST that they say undermines a very widely used technology for securing browser communications.
Juliano Rizzo and Thai Duong say the vulnerability compromises TLS (Transport Layer Security) 1.0, the encryption mechanism that secures Web sites accessed using HTTPS (Secure Hypertext Transfer Protocol). TLS is the successor to SSL (Secure Sockets Layer) and is widely used at financial sites. Companies, including Google, Facebook, and Twitter, are urging the wider use of TLS on the Web.
Rizzo and Duong plan to demonstrate BEAST at the Ekoparty conference later this week in Argentina. "We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing," they said.
With the method, an authentication cookie--a small text file on a browser's computer that among other things can tell a Web server that a user is authorized to log in--can in effect be stolen. The researchers will demonstrate BEAST's use to decrypt a cookie used to access PayPal's electronic payment site, The Register said. Rizzo said it takes about 10 minutes right now to perform the PayPal attack.
However, Adam Langley, a TLS advocate and expert at Google, isn't concerned.
"The researchers disclosed BEAST to browsers so I'm not going to comment in detail until public. It's neat, but not something to worry about," Langley tweeted yesterday.
Browser makers had these responses to the issue:
Mozilla: "We are aware of the issue and have asked the reporters for further clarification on the extent of the exposure. We are working to identity the severity of the threat and develop a fix for Firefox users."
Microsoft: "Microsoft is aware of the industry-wide SSL issue as demonstrated at EkoParty, and we believe that this standards-related issue presents low risk to our customers and to the Internet. Support for Transport Layer Security (TLS) exists in the operating system and is called [upon] by Internet Explorer. Windows 7 and Windows Server 2008 R2--and, thus, all versions of IE on those platforms--support TLSv1.1 and TLSv1.2, although TLS1.1 and TLS1.2 are not enabled by default."
Opera: "Based on our current understanding of the attack and its limitations, our evaluation is that the default configuration of Opera is not vulnerable, so there is no need to downgrade the displayed security levels for Opera users. This might not be true for other browsers. Opera supports up to TLS 1.2 (the most recent TLS version), but that depends on the server supporting TLS 1.1 or TLS 1.2 (current numbers are 0.25 percent and 0.02 percent, respectively).
In other words, although Opera will use a version of TLS by default that's not vulnerable, that's mostly academic given that the Web servers the browser connects to usually doesn't.
Google and Apple didn't respond to requests for comment.
Another researcher, Karsten Nohl of the University of Virginia, said the attack combines two areas of security work:
The TLS exploit is a neat fusion of two streams in vulnerability research: Cryptanalysis and client-side attacks. In this case, a known client-side problem--namely (that) Web sites are not shielded from one another--is used to break an assumption in cryptography--that a user's computer will not attack the user.
Users already need to trust all the Web sites they are visiting due to vulnerabilities in their browsers ("drive-by exploits") and in trusted Web sites ("tab-nabbing"). The new exploit strongly reminds us of this rule.
And, Nohl added, the problem should provide an incentive for software makers to catch up with a fix that was available years ago.
"No improvement without incident," Nohl said.
Updated at 4:28 a.m. PTwith comment from Karsten Nohl.
Updated at 12:40 a.m. PT September 21with comment from Opera, Microsoft, and Mozilla.