BEAST SSL attack

23 09 2011

Security researchers Juliano Rizzo and Thai Duong have created a new attack on the ever so prevalent SSL 3.0 / TLS 1.0 communication protocols which are used to secure a majority of the private transactions over the internet.  It has not been a great period for confidence building with regards to secure internet communications as earlier this month attackers were able to obtain a valid certificate for multiple domains including from certificate authority DigiNotar. While other attacks on HTTPS such as the DigiNotar attack have concentrated on the certificate system attempting to masquerade as a website, this attack is the first to break the confidentiality model of SSL/TLS. Rizzo and Duong are claiming that they are simply able to defeat SSL encryption and read in plain text the contents of the traffic flowing to an HTTPS address.

The attack has been compiled into a tool coined BEAST (Browser Exploit Against SSL/TLS) that allows a would be attacker to steal and decrypt HTTPS cookies in an encrypted active client/server session including cookies marked as HTTPS only. BEAST actually performs a plain text recovery attack on a vulnerability in TLS that has been known almost since the inception of the protocol. However, the vulnerability has long been considered only a theoretical problem as many security experts regard it as impossible to exploit. The vulnerability is in how TLS encrypts the data, the protocol will arrange the data in a series of blocks. TLS will then encrypt each block using the previous encrypted block. The vulnerability is that an attacker can make an educated guess regarding the contents of the encrypted block. If the guess is correct, the attacker will see that their guessed block will produce the same cipher text as the legitimate block and they will be able to subsequently decrypt the following blocks of data.

In order to execute the SSL attack an attacker will first need to acquire a man in the middle position (MITM) on a network that will allow them to eaves drop on a victim’s traffic to a HTTPS site. After the position is acquired, they will need to inject the BEAST agent into the victim’s browser as they try to visit a high value target such as a bank website or PayPal. BEAST will now sniff the network traffic looking for active TLS sessions and then decrypt the secured cookie which then allows the attacker to hijack the secured session.  Rizzo and Duong claim that their attack can decrypt and hijack an SSL session within minutes allowing the process to be unnoticeable to the victim.

While it is yet to be seen if this is a “OMG the sky is falling” sort of breakthrough as the technical details of the attack are still unknown ,  Rizzo and Duong plan to present the attack in full detail at the Ekoparty Conference in Argentina on Friday (9/23/2011). Until then much of the security community has yet to comment on the severity of the attack and we (the internet) will need to wait to see how browser developers move from here.

It is important to note that this vulnerability is not present in TSL 1.1 or 1.2 which have been available for years however only adopted by small percentage of content providers.  I believe this highlights how the reactive model that has been present in information security for many years has essentially painted much the technological world in a corner.  SSL 3.0 and TLS 1.0 is the most common security protocol available for internet transactions on the planet and to have TLS 1.1/2 suddenly adopted worldwide would be a major overall potentially causing companies large amounts of money and/or customers.  For example, the current releases of Firefox and Chrome do not support communications on TLS 1.1/2 and IE9 while capable of using TLS 1.1/2 does not allow it by default so if you are a bank that allows only TLS 1.1 traffic Chrome, Firefox, and IE users will not be able to use your online banking option.  This would put your bank’s website at a significant disadvantage. Duong and Rizzo have stated that “Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications,” Duong wrote. “What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa.” (4)

If this attack is anything close to as serious as the initial reports seem to allude to we could be in between the proverbial rock and a hard place.


  1. Threat Post, “New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies”, September 19 2011, Dennis Fisher.
  2. The Register, “Hackers break SSL encryption used by millions of sites”, September 19 2011, Dan Goodin.
  3. Information Week, “HTTPS Vulnerable To Crypto Attack”, September 20 2011, Mathew J. Schwartz.
  4. Softpedia,, “SSL Encryption Turns Out to Be Highly Vulnerable”
    September 20 2011, Eduard Kovacs.