×
Search TQA Weekly
×
Log into your TQA Weekly

The Beast Attack

Browser Exploit Against SSL/TLS Explained

Steve Smith explains what the Beast Attack is, how it affects you, and what can be done about it.

Episode #3-48 released on August 24, 2013

For the majority of users on the internet, we presumed we could say anything we wanted online. We presumed no one was watching online, at least not us personally. We were fine with logging into web-sites, even if they aren't encrypted, and have done so for years. Then we met Firesheep, a program capable of stealing our login credentials in places like air port terminals, and coffee shops, so we sought the need to encrypt, everything. Firesheep was released in 2010, and allowed anyone to access your accounts if you weren't using a secure access point, and SSL enabled web-site.

In September of 2011, another type of attack was demonstrated, this time against SSL, more specifically TLS 1.0. This kind of attack is called Beast. Beast is short for Browser Exploit Against SSL/TLS. This attack leverages a weakness related to CBC, or cipher block chaining, an important part of the SSL/TLS protocols, even used with AES encryption. The demonstration was achieved using JavaScript, and proved that anyone who could taint a web-site with malicious code subjected users to a man in the middle attack, or MITM.

This means, that like our original problem with Firesheep, we again had an issue with people being able to steal our login credentials online, and impersonate us. And, this time the hack could be achieved from further away, where as before it had to be within range of a public, unencrypted, wireless hotspot.

Does this mean we can't ever be secure online?

No, Beast only affects TLS version 1.0. So, using another version of TLS allows us to be safer. In fact, companies like SSL Labs, allows users and web site developers to validate the SSL certificates to make sure the web-sites are as secure, as possible. The issue is, that in order to pass we need to place RC4 encryption at the very top, and this is not very desirable, as we have other kinds of security which is better.

Is it possible for users to further improve their security online?

Yes, you as a person, can modify your browser's settings, depending on the browser, to allow for more selection of SSL/TLS versions, allowing your computer and the server to have better security.

Which browser is most secure when it comes to dealing with the potential of the Beast attack?

In order for a browser to be secure against Beast, we must presume the web-site supports TLS 1.1 or better. Google Chrome and Mozilla Firefox supports up to TLS 1.1. Opera does support TLS 1.1 and 1.2, but both are off by default. Safari 5 and greater support up to TLS 1.2. Internet Explorer 10, and so other versions, also, support TLS 1.1 and 1.2, but are, also, off by default.

This technically means, out of the box, Safari is your best bet. If you are willing to dig, you can, also, use Internet Explorer, and Opera, provided you turn off TLS 1.1 and 1.2. Google Chrome and Mozilla Firefox do allow for security, but do not offer the latest version of TLS, TLS 1.2.

We can, also, deduce that if a specific web-site's SSL certificate library did not support RC4, which is currently the only way to fend off any threat from Beast Attacks, and was required to use a CBC algorithm from TLS 1.0 only, then Opera, and Internet Explorer are more vulnerable to the Beast Attack than any other Browser online. This, of course, is true as of the day I am writing this. And the worst thing is, they both support up to TLS 1.2 in their libraries which makes them safer than other browsers, if you were to turn them on.

If browsers can support TLS 1.1 or greater, why do we need RC4 then?

The problem is created by the fact that most browsers people may use don't operationally use anything but TLS 1.0, even if they support better because they are either not on by default, or never employed by browsers, as I have seen because even my own site uses better technology but browsers always end up using RC4 / TLS 1.0.

To validate a web-site to see if it is secure against the Beast Attack, you can use a very interesting tool, available from SSL Labs. The scan gives you an idea of how secure a web-site really is. The link is available in the sources of this episode.

Next week, I will be talking about Cross Site Scripting. I will explain what it is, how it is done, and how to prevent it from affecting your web-site.

Remember to like this episode if you were interested in today's topic, share if you think someone else could benefit from the topic, and subscribe if you want to learn more. For the show notes of this episode and others, for more information on other ways to subscribe to our show, to subscribe to our weekly newsletter, and how to participate by submitting your questions, comments, suggestions, and stories, head over to TQAWeekly.com.

Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources