A tool called BEAST decrypts secret PayPal cookies residing in versions 1.0 and earlier of TLS by attacking the confidentiality model of the protocol. According to the researchers, Thai Duong and Juliano Rizzo, they claim BEAST is: “…the first attack that actually decrypts HTTPS requests.” As opposed to other attacks which targeted the authenticity of the protocol. While versions 1.1 and 1.2 of TLS aren’t affected, they still remain unsupported by browsers and most sites, thus, almost every website remains vulnerable to the eavesdropping attack. The BEAST proof of concept will be demoed at Ekoparty security conference in Buenos Aires later this week, by researchers Thai Duong and Juliano Rizzo. Will this be an eye opener to finally introduce TLS 1.1 & 1.2 support?
- SSL broken. (TLS 1.0 cryptographic attack that works. Not just fake certs.) (theregister.co.uk)
- ISC Diary | SSL/TLS Vulnerability Details to be Released Friday.