SSL Encryption No Longer Secure - Hackers

Tweet

Is it the end of the world for secure online services? A team of security researchers has discovered a serious vulnerability in existing Web security protocols, which could potentially render all websites open to hack attacks, including PayPal, Gmail, and other such services.

The DigiNotar breach was only the beginning, and looking back at the way SSL certificates were fraudulently acquired from the Dutch certificate issuer, that particular hack seems amateur in contrast to more recent discoveries. Security researchers Thai Duong and Juliano Rizzo will be demonstrating their BEAST software — Browser Exploit Against SSL/TLS — at the Ekoparty security conference in Buenos Aires this week, and they plan to decrypt authentication cookies used in accessing PayPal.

Majority of the online world’s secure websites use secure SSL/TLS to encrypt data while in transit, and decrypt it at the point of the intended recipient. But while previous man-in-the-middle hacks like the SSL cert spoofing attack done via DigiNotar require certificates from an issuer, BEAST actually attacks secure HTTP transactions from an inherent vulnerability without the need for tools or intervention from a third party.

While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests … [A]n attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection

The vulnerability lies in a security hole in TLS 1.0 that was previously thought to be a theoretical weakness. The researchers’ aim is to provide proof-of-concept, that HTTPS can be breached in a practical manner. They say that a PayPal attack requires a minimum of 30 minutes before user credentials can be retrieved. However, they are tweaking their code to reduce this to just 10 minutes.

But while TLS is theoretically — and now practically — vulnerable, it’s only version 1.0 that’s prone to the BEAST attack. TLS 1.1, which has been available since 2006, and TLS 1.2 do not suffer from this vulnerability. The problem is that most secure sites use TLS 1.0 because current browsers have not yet fully implemented TLS 1.1 and 1.2. At present, only Opera deploys TLS 1.2 by default, while Internet Explorer has the feature as optional.

The security researchers hope that their proof-of-concept will encourage browser makers to improve the security of their products, even at the expense of some speed or performance loss. They also hope that web publishers will adopt higher-level security through TLS 1.1 or 1.2, although this will mean that a significant amount of current traffic might be lost. For now, Duong and Rizzo say they have been working with browser and SSL vendors, but each proposed fix to the vulnerability proved to be incompatible with existing SSL applications. Developers, vendors and concerned stakeholders will need to find a way to better-secure our online transactions.