The "BEAST" SSL/TLS issue
By Sigbjørn VikSigbjorn. Wednesday, September 28, 2011 1:20:01 PM
This weakness is present both in SSL and version 1.0 of TLS, the two most popular cryptographic protocols in use today. TLS versions 1.1 and 1.2 are not affected, but unfortunately only a few browsers support these newer versions, so servers cannot yet take advantage of this. Opera supports this, and this can be enabled in existing Opera versions as soon as other browsers and servers start upgrading.
We developed a fix for SSL and TLS 1.0, and tried shipping it in Opera 11.51. We quickly found that any change we made to how the browser connected to servers, however small, would be incomprehensible to thousands of servers around the world. Deploying this would mean users would be unable to connect to those servers, and we had to rethink our solution. This issue will have to be solved in close cooperation between browser vendors and webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forwards.
We have test systems in place which can connect to millions of secure sites around the world, and detect how these sites will react to changes to the protocol. We will be sharing our results from these test runs with other browser vendors and affected parties, to give us a good basis for finding the best solution to the issue.
How the Attack works - a technical explanation
At its core, this is a chosen plaintext attack on the Cipher-block chaining (CBC) mode of encryption.
In pure CBC mode, the output cipher text from the previous encryption operation is used as "random" input into the next encryption operation. This is done to make sure that two identical blocks of plaintext are not encrypted into identical cipher text blocks.
However this mode opens up the possibility for an attack where the attacker may feed the encryption algorithm with a carefully constructed input, that can reveal other unknown parts of the plain text. Note that the encryption key can not be recovered, only plaintext. BEAST is a proof of concept that exploits this weakness, through what has been termed a "block-wise chosen-plaintext" attack, to attempt to gain access to credential cookies.
Attempting to attack users
A few requirements must be met to successfully apply this attack against web browsers.
1) The attacker must be able to eavesdrop on network connections made from the victim's browser.
3) The attacker must be able to send HTTPS requests at will.
4) After listening in on the request, the attack must be able to append more data to the very same request.
There are several methods for eavesdropping (one example is open wifi networks), thus requirement 1 can be met.
Requirement 3 is met, as the attacker can create requests via the attack script.
There are a couple of twists though.
WebSockets is a viable attack vector for requirement 4, because scripts using this have more control over what is sent on the connection. Fortunately WebSockets has been turned off by default since its introduction into Opera, as there have been other security concerns with this specification. WebSockets is not widely used yet, so in general there is no pressing need for it to be enabled. There is a new WebSockets specification in progress, without any of these security concerns, which will make it possible to enable this feature without worry. You can check if you have WebSockets enabled here.
Then there is Java. While applets do not have direct access to cookies from the browser, Java can request cookies, and add them to outgoing network requests, for authentication purposes. This is normally subject to a same-origin check in Java, so cookies are only added when sending requests back to the domain the applet was loaded from. However, due to a bug in Java's same-origin check, this can be bypassed, but requires an attacker to control your Internet connection. If you believe you are better safe than sorry, you may consider disabling Java, or avoiding untrusted Internet connections, until there is a Java update available.
Edit 2011-10-19: Java has released a patch to address this issue. Users are advised to upgrade their Java version for safe browsing with Java enabled.