BEAST Can Crack Encrypted Web Traffic

by ServerWatch Staff

A new attack tool, dubbed BEAST, can crack SSL traffic used to secure Websites.

Security researchers say a new attack tool is capable of breaking the encryption algorithm that protects Websites. As reported on eWeek, researchers Thai Duong and Juliano Rizzo are scheduled to demonstrate BEAST, the Browser Exploit Against SSL/TLS attack tool, at the Ekoparty security conference in Buenos Aires.

"Duong and Rizzo said they've refined the attack to decrypt SSL-protected Web traffic by using JavaScript to inject plain text code into the encrypted stream. The injection can be done through a malicious advertisement, an iFRAME or other scripted elements. In a variation of a 'man in the middle' attack, the browser is tricked into executing the code on the server.

"Duong and Rizzo claimed the BEAST tool allows them to intercept TLS 'cookies,' which are bits of text that identify users. TLS cookies are frequently used by Websites to keep users logged in even after the user has browsed off the page. They are expected to demonstrate the attack during the Ekoparty presentation by recovering an encrypted cookie used to access a user account on eBay's PayPal online payment service."

Read the Full Story at eWeek

This article was originally published on Tuesday Sep 27th 2011
Mobile Site | Full Site