September 26, 2011

Poor SSL. It’s been the standard for so long, but it’s had a rough go of it the last few months. First there were the breaches at Comodo and Diginotar, allowing intruders to generate seemingly-authentic certs to trick users, and now this.

In particular, security researchers Juliano Rizzo and Thai Duong have built a tool that’s capable of decrypting and obtaining the authentication tokens and cookies used in many websites’ HTTPS requests. “Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing,” they said.

To illustrate the vulnerability they’ve discovered and automatically harvest authentication tokens and cookies, the researchers said they’ve also built a JavaScript-based tool dubbed BEAST, for Browser Exploit Against SSL/TLS. “It is worth noting that the vulnerability that BEAST exploits has been [present] since the very first version of SSL. Most people in the crypto and security community have concluded that it is non-exploitable, that’s why it has been largely ignored for many years,” Duong told Threatpost.