Seattle.gov Home Page
Link to DoIT Home Page Link to DoIT Home Page Link to DoIT About Us Page Link to DoIT Contact Us Page
Tech Talk Blog Home Page Tech Talk Blog Home Page CityLink Seattle
Welcome to Tech Talk
«    »
Subscribe to
TechTalk Subscribe to RSS feed


Search

Categories


CityLink Seattle

Contributors


Recent Posts


September 2011
M T W T F S S
« Aug   Oct »
 1234
567891011
12131415161718
19202122232425
2627282930  

Tags


Quick Links


New Attack Breaks Confidentiality Model of SSL

Posted: September 22, 2011 9:43 am
By: - Information Security  

Two researchers have developed a new attack on TLS 1.0/SSL 3.0 that enables them to decrypt client requests on the fly and hijack supposedly confidential sessions with sensitive sites such as online banking, e-commerce and payment sites. The attack breaks the confidentiality model of the protocol and is the first known exploitation of a long-known flaw in TLS, potentially affecting the security of transactions on millions of sites.

The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it’s available.

The researchers use what’s known as a block-wise chosen-plaintext attack against the AES encryption algorithm that’s used in TLS/SSL.  In order to execute their attack, Rizzo and Duong use BEAST (Browser Exploit Against SSL/TLS) against a victim who is on a network on which they have a man-in-the-middle position. Once a victim visits a high-value site, such as PayPal, that uses TLS 1.0, and logs in and receives a cookie, they inject the client-side BEAST code into the victim’s browser. This can be done through the use of an iframe ad or just loading the BEAST JavaScript into the victim’s browser.

Full story here: New Attack Breaks Confidentiality Model of SSL