News
BEAST browser security threat is not as fierce as it looks say Context Information Security
November 2011 by
Researchers at Context Information Security are playing down the level of risk to businesses and government organisations posed by BEAST, or Browser Exploit Against SSL/TLS. Recently disclosed by Thai Duong and Juliano Rizzo, the SSL vulnerability allows an attack on a browser to decrypt cookies and compromise HTTPS, giving access to encrypted website log-on credentials. But Context believes that hackers are very unlikely to use this complex attack and also provides some advice on how to further reduce the risks.
“In effect, BEAST is simply a practical way to exploit an existing theoretical vulnerability in older versions of TLS/SSL (TLSv1.0, SSLv3.0 and lower), commonly used for HTTPS connections,” said Michael Jordon, research and development manager at Context. “For an attack to be effective, a vulnerable version of SSL using a block cipher must be used; network sniffing of the connection must be possible; and there also has to be a successful Java applet injection into the same origin of the web site.”
Developers can already increase the complexity and mitigate the risk of malicious content being injected within the same origin through actions such as setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking. Therefore, in terms of risk, the BEAST attack is akin to not setting the HTTPOnly property on cookies that is not unusual among websites.
“If people are concerned about the BEAST attack, we suggest they first look to see if their HTTPOnly property is set properly. If it is not, then a BEAST attack would not be needed to deliver the same opportunities to hackers,” says Jordon.
The major vendors of both browsers and server-side technologies have also announced that they are working on patches for TLS1.0. Within a controlled environment such as an internal network, it may be possible to upgrade all users and servers to products that support TLS 1.1/1.2. However, this could mean that some users may have difficulties accessing older web servers.
There are also a number of other areas in which the use of session hijacking can be reduced or made more complex, including transferrable session prevention; the use of effective logout and session timeout functions; regeneration of a new and unique cookie value per session; and adoption of one-time passwords.
“The BEAST vulnerability exists but there are simple steps that developers and security managers can take to mitigate the risks and with the number and complexity of mechanisms needed by an attacker, plus the number of greater value attacks that could take place in the same circumstances, we believe that it is unlikely that BEAST will be seen in the wild,” concludes Jordon.
