First developed in 1999 as an improvement over SSL (Secure Socket Layer) 3.0 encryption, TLS 1.0 is used as part of HTTPS encryption and is now the Web standard for data encryption. Almost all websites and browsers use TLS to secure information being transferred between you and the site, and now security researchers Thai Duong and Juliano Rizzo claim to have cracked TSL 1.0 encryption using just a traffic sniffer and a simple bit of JavaScript code.
Duong and Rizzo performed a live demonstration of the exploit, codenamed BEAST (Browser Exploit Against SSL/TLS), at the Ekoparty security conference in Buenos Aires during mid-September. While the details of the attack are highly technical, we now know it starts with a snippet of JavaScript code that infects your browser when you follow a suspicious link or visit a malicious website.
When BEAST infects your browser, it monitors the data you exchange with encrypted websites. It inserts blocks of plain-text into the data stream and attempts to decrypt those known blocks of plain-text by making educated guesses about the encryption key.
After enough time passes (roughly five to ten minutes, according to reports that Rizzo sent to The Register), BEAST inevitably guesses correctly and cracks the code on a byte’s worth of encrypted data, then uses that data to reverse-engineer the encryption key and decrypt the confidential data in the session cookie stored on your computer.
It’s a time-consuming process that exploits a known vulnerability in SSL 3.0/TLS 1.0 encryption. Prior to their public demonstration, the researchers responsible notified the developers of popular browsers like Firefox and Internet Explorer, and hopefully, the publicity surrounding this vulnerability encourages more server and browser developers to upgrade their encryption systems to take advantage of more recent protocols like TLS 1.1 or 1.2, both of which remain theoretically immune to a block-wise chosen-plaintext attack like BEAST. Microsoft has already promised to patch Windows to protect users against BEAST, and Kaspersky Lab Expert Kurt Baumgartner believes Chrome users have little to worry about as the Chromium source code was patched to protect against this exploit three months ago.
That’s possible because TLS 1.1 has been available since 2006, yet most websites and browsers do not support it due to the time and effort required to update all of their services (like browser extensions in Chrome or the Facebook Connect API) to authenticate data using a different encryption method. Until they do, the only surefire way to protect yourself against an exploit like BEAST is to avoid malware by developing safe browsing habits. Never open unsolicited mail or click on links you don’t trust, be careful about the data you share on social networks and change your passwords often.