dcsimg

BEAST Can Crack Encrypted Web Traffic

By ServerWatch Staff (Send Email)
Posted September 27, 2011


For more information on Threats and Vulnerabilities Partner Offers

Security researchers say a new attack tool is capable of breaking the encryption algorithm that protects Websites. As reported on eWeek, researchers Thai Duong and Juliano Rizzo are scheduled to demonstrate BEAST, the Browser Exploit Against SSL/TLS attack tool, at the Ekoparty security conference in Buenos Aires.


"Duong and Rizzo said they've refined the attack to decrypt SSL-protected Web traffic by using JavaScript to inject plain text code into the encrypted stream. The injection can be done through a malicious advertisement, an iFRAME or other scripted elements. In a variation of a 'man in the middle' attack, the browser is tricked into executing the code on the server.

"Duong and Rizzo claimed the BEAST tool allows them to intercept TLS 'cookies,' which are bits of text that identify users. TLS cookies are frequently used by Websites to keep users logged in even after the user has browsed off the page. They are expected to demonstrate the attack during the Ekoparty presentation by recovering an encrypted cookie used to access a user account on eBay's PayPal online payment service."

Read the Full Story at eWeek

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.


 

 


Thanks for your registration, follow us on our social networks to keep up-to-date