Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.
The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.
The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this article was first published, Google released a developer version of its Chrome browser designed to thwart the attack.
How It Works
After the BEAST agent is loaded, the second part of the tool, a network sniffer, looks for active TLS connections and then grabs and decrypts the HTTPS cookie, enabling the attacker to hijack the victim’s session with that site. Once that encrypted connection with the site is established, the victim can move off to another tab or do other things on the machine and the attack will still work. The attack forces the browser to load pages from the target site, and the tool then decrypts the first part of the request to the Web server, which includes the secure cookie. The researchers have the ability to decrypt those cookies from within SSL sessions, which essentially negates the confidentiality promise of the protocol.
The decryption process is fast enough that it’s likely imperceptible users, and the researchers said that in a targeted attack, they likely could steal the cookie from a specific site within five minutes of loading the tool. Rizzo and Duong said that their attack exploits a vulnerability in the TLS 1.0 protocol that has been known for quite some time, but was thought to be unexploitable.