ID: IRCNE2011101271
Date: 2011-10-02
According to “CNet”, browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions.
The problem--considered theoretical until a demonstration by two researchers at a security conference in Argentina last week--is a vulnerability in SSL and TLS 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS.
The researchers created software called BEAST that can decrypt parts of an encrypted data stream and can be used in what is known as a "man-in-the-middle" type of attack. BEAST uses JavaScript running in the browser and can let an attacker snoop on traffic, as well as impersonate a Web surfer by compromising session cookie data used to authenticate a Web surfer with a site.
Here are responses from representatives of the major browsers:
Firefox
"We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so," a Mozilla Security blog post says. "Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0, the technical details of the attack require the ability to completely control the content of connections originating in the browser, which Firefox does not allow. The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution."
"NoScript will mitigate BEAST if both:
The site is serving everything securely over https.
The user knows there should not be mixed secure/insecure content and would refuse to run any if the bad guy offered it to him"
said Marsh Ray, senior software engineer at PhoneFactor.
Internet Explorer
"We consider this to be a low risk issue for customers, but we released Security Advisory (2588513) to provide guidance and protection for customers with concerns," Jerry Bryant, group manager of Response Communications at Microsoft Trustworthy Computing, said in an e-mail. To be clear, Internet Explorer depends on the Windows implementation of these protocols, so our mitigations and workarounds apply to the operating system and not the browser. We are looking at other ways to address the issue both in our products and within the industry and will update our guidance as it becomes available."
Chrome
A member of the Chrome team, that said the company was preparing and testing a workaround. "The attack is still a difficult one; the attacker has to have high-bandwidth MITM access to the victim. This is typically achieved by being on the same wireless network as the victim," the post says. "Nonetheless, it's a much less serious issue than a problem which can be exploited by having the victim merely visit a Web page."
Opera
Opera developed a fix and tried shipping it in Opera 11.51 but found that changes made to how the browser connects to servers were "incomprehensible to thousands of servers around the world," Opera's Sigbjorn Vik wrote in a blog post. "This issue will have to be solved in close cooperation between browser vendors and Webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forward.”
Safari
Apple representatives did not respond to e-mail or telephone requests for comment about the Safari browser.
Just upgrading to TLS 1.1, which is not vulnerable to the threat, won't work because nearly all SSL connections use TLS 1.0, according to a Qualys study reported.
Related Links:
Microsoft promises a Windows patch
- 3