BEAST attack

A new vulnerability in all versions of SSL and TLS version 1.0, known since 2001, allows attackers on the same network to spy on cookies sent over HTTPS.

BEAST stands for Browser Exploit Against SSL/TLS. This is an attack on network vulnerabilities in the TLS 1.0 and earlier versions of SSL protocols. The attack was first carried out in 2011 by security researchers Thai Duong and Giuliano Rizzo, but the theoretical vulnerability was discovered in 2002 by Philip Rogaway.

Web browser attack

In a block-by-block chosen-plaintext attack, an attacker can encrypt any plaintext of his choice in blocks. The entropy used can then be inferred from the plaintext known to it and the observed key text.

This greatly reduces the effort required to break the encryption.

BEAST consists of two parts: JavaScript code or Java applets that are injected into the victim's browser and inject prepared data into an encrypted connection, and a sniffer that eavesdrops on data transmitted, for example, over a WLAN.

Block ciphers such as DES or AES operate in different modes. In this case, the Cipher Block Chaining (CBC) operating mode used with AES is attacked. In this "chain block cipher", before each block except the first is encrypted, the ciphertext of the previous block is added to the plaintext in a modular manner and subtracted accordingly during decryption.

This prevents an attacker from detecting the encryption of two identical blocks of plaintext. Since there is no preceding ciphertext for the first block, an attacker can determine whether two plaintexts begin with the same blocks. To prevent this, the cache is initialized with a random value.

In a block-by-block selected plaintext attack, the plaintext of other blocks is inferred by inserting prepared plaintext blocks. Specifically, BEAST targets session cookies, which are automatically sent to the web server on every request. By inserting appropriate blocks of plain text one after another, the cookie can be gradually defined character by character.

For an attack a number of prerequisites must be met:

- The attacker must be able to observe the victim's network connection, for example on an open WLAN.

- The attacker must be able to inject his code into the victim's browser.

- The attacker-injected code must be able to send HTTPS requests.

- After listening to a generated request, it should be possible to attach additional data to this request.

With BEAST you can spy on cookies that are already present when you enter code into your browser. The injected code itself does not have access to them because they are marked as HTTP-only.

According to experts, a BEAST session cookie can be tracked in less than 3 minutes. And it's not just about reading some data in the browser: the cookie is extracted from the encrypted data being transmitted.

Countermeasures are problematic

The simplest countermeasure would be to stop using SSL and TLS 1.0. In TLS 1.1, the attack is prevented by using individual initialization vectors. Unfortunately, this is not so simple either on the client side or on the server side, since many web servers still use these old versions and some browsers also have problems with newer versions.

Even when implementing alternative solutions, such as inserting empty blocks, there are always compatibility issues with some websites, as Opera and Google discovered with their solutions. Firefox developers are considering a way to bypass the symptoms and block the Java plugin.

Of course, this doesn't solve the real problem, it just blocks the attack vector used by BEAST. Microsoft is working on an update and initially published a security advisory that suggested various workarounds, such as prioritizing the RC4 algorithm and enabling TLS 1.1 and/or 1.2. For the latter, Fix it tools are available.

Experts also suggest that servers use RC4-SHA as their cipher suite instead of AES or Triple-DES. Then the CBC mode is not used and the attack is ineffective.

A common problem with all countermeasures, both client- and server-side, is the large number of existing protocol versions and configuration options. Any change to existing status may result in discontinuation of parts of the browser or website. And of course, neither browser makers nor website operators want to take any risks.

How big is the danger?

As already mentioned, this is not a new vulnerability, but “just” a new attack on a long-known vulnerability (and, in fact, long ago fixed). However, such an attack was previously considered unfeasible, so upgrading to TLS 1.1 or higher was not considered necessary.

Everything is different now. According to experts, the risk of a successful attack is small, but it exists. An attacker who can inject code into a victim's browser can cause more damage elsewhere. BEAST is only interesting if you need to track an existing cookie, and BEAST can only be executed if the requirements are met.

However, countermeasures should of course be taken. It would be better if all servers were "updated" to at least TLS 1.1 - and then all web browsers would also support this standard. Until then, you'll have to make do with emergency solutions such as using RC4 instead of AES/Triple-DES in CBC mode.

Mainton Company - custom software development and testing, system administration and SRE, SEO and online advertising since 2004.