SecureState Blog

Read SecureState's award winning blog.

Should you fear the BEAST?

Should you fear the BEAST?

The Browser Exploit Against SSL/TLS Tool or BEAST is a tool written by Thai Duong and Juliano Rizzo that exploits a 10 year old flaw in SSL/TLS 1.0 and its use of cipher block chaining (CBC). Until now, exploiting the vulnerability was only thought of as theoretical. Using BEAST, the attacker can decrypt things, such as session ID cookies and other SSL encrypted requests. There are many ways to obtain this cookie using a tool such as SSLstrip, but BEAST is the first attack to decrypt HTTPS requests using the weakness in SSL.


How does BEAST work?

Simply put, BEAST is a Man-In-The-Middle (MITM) attack that injects plain text into the encrypted stream sent by the victim’s browser. This can be injected via JavaScript during a MITM attack. Using injected plain text and the encrypted results, BEAST can eventually decrypt the entire HTTPS request and cookies. The length of the cookie will determine the amount of time BEAST needs for decryption. Once this is done, the attacker can now take over the victim’s session.


Who’s Vulnerable?

Almost any site using TLS1.0, as it is the most used security protocol. What about TLS1.1? The plain fact is SSL/TLS libraries don’t implement it even though it came out in 2006. When will there be a fix for the browsers? Most major browsers are attempting to issue a patch that would mitigate the vulnerability. Google has released a developer’s version of Chrome that stops the BEAST.


Final Thoughts

While an impressive tool and concept, once you have fallen victim to a MITM attack you have a lot more to worry about than the BEAST. But expect to see this attack used in the wild and expect it to evolve and grow.

More information can be found about Google not being vulnerable to the BEAST attack and another article with in-depth technical detail can be found on the A Few Thoughts on Cryptographic Engineering blog.