BEAST authors developed another attack on the SSL / TLS

[io.kent]

Famous hacker Juliano Rizzo (Juliano Rizzo) and Thai Duong (Thai Duong) again made ??themselves felt. They will appear at the security conference Ekoparty, which will be held 19-21 September in Argentina. There, they will describe a new method of attack on the SSL / TLS, not as effective as the proverbial program BEAST (Browser Exploit Against SSL / TLS.), Which is widely discussed in the last year as the first in the history of the attack, really aimed at decoding requests HTTPS. this pair researchers have developed a tool BEAST to collect user cookies from secure SSL / TLS sessions. They are also known as the authors of the oracle attack on packing in ASP.NET in 2010, which affected millions of applications and forced Microsoft to release a patch for the urgent closure of critical vulnerabilities. Recall that the program BEAST in case of attack MiTM quietly allowed hackers to decode the data, which are transmitted between a web server and a web browser the end user is encrypted by TLS. BEAST program operated function algorithm AES (Advanced Encryption Standard), in which blocks of data are encrypted one by one, with the previous block is used to encode the next. Many theorists say that this could lead to an exploit with Duong and Rizzo the first to develop such a tool. What is interesting, the presentation BEAST held in 2011, also at the conference Ekoparty. Exactly one year later, the researchers intend to demonstrate a program called CRIME, which is similar to the method of the BEAST: it is also based on attack and MiTM to decode session HTTPS, including custom cookie by intercepting the encrypted traffic between the server and the browser. Vulnerability affects all versions of TLS, including TLS 1.2. But if in the case of the BEAST workaround could be, if we replace the other AES cipher (eg, RC4), then in case it does not help CRIME. Rizzo with Duong are not recognized, which function TLS operated by them at this time, just give a few hints . They say that this feature is also discussed earlier, theoretically vulnerable, but exploits and failed to develop. They also say that the vulnerability works in Firefox and Chrome, browsers have released a security update to the conference Ekoparty, but in fact these updates are only partially solve the problem. They just shut down the possibility of introducing J AVA S cript to intercept HTTPS-traffic, while you can catch in other ways, in theory CRIME can even work from a static HTML

sursa : New Attack Uses SSL/TLS Information Leak to Hijack HTTPS Sessions | threatpost