Hackers Crack Internet Encryption: Should You Be Worried?
By Alex Wawro, PCWorld
Data encryption is the cornerstone of Internet security. Every time you log into your email account or sign into an online retailer like Amazon, chances are that your browser is establishing a secure connection to the server using an encryption technology called TLS (Transport Layer Security).
When BEAST infects your browser, it monitors the data you exchange with encrypted websites. It inserts blocks of plain-text into the data stream and attempts to decrypt those known blocks of plain-text by making educated guesses about the encryption key.
After enough time passes (roughly five to ten minutes, according to reports that Rizzo sent to The Register), BEAST inevitably guesses correctly and cracks the code on a byte’s worth of encrypted data, then uses that data to reverse-engineer the encryption key and decrypt the confidential data in the session cookie stored on your computer.
It’s a time-consuming process that exploits a known vulnerability in SSL 3.0/TLS 1.0 encryption. Prior to their public demonstration, the researchers responsible notified the developers of popular browsers like Firefox and Internet Explorer, and hopefully, the publicity surrounding this vulnerability encourages more server and browser developers to upgrade their encryption systems to take advantage of more recent protocols like TLS 1.1 or 1.2, both of which remain theoretically immune to a block-wise chosen-plaintext attack like BEAST. Microsoft has already promised to patch Windows to protect users against BEAST, and Kaspersky Lab Expert Kurt Baumgartner believes Chrome users have little to worry about as the Chromium source code was patched to protect against this exploit three months ago.
That’s possible because TLS 1.1 has been available since 2006, yet most websites and browsers do not support it due to the time and effort required to update all of their services (like browser extensions in Chrome or the Facebook Connect API) to authenticate data using a different encryption method. Until they do, the only surefire way to protect yourself against an exploit like BEAST is to avoid malware by developing safe browsing habits. Never open unsolicited mail or click on links you don’t trust, be careful about the data you share on social networks and change your passwords often.