Two security researchers say they have found a way to break the encryption used in one of the most common security protocols on the Web, a protocol used by all sorts of sites, ranging from banking to email.
Secure Sockets Layer, or SSL, is a protocol used to keep data secure as moves between the user and the server he or she is logged into.
It was invented by developers at Netscape in the 1990s, has been upgraded many times since and is now often referred to by the newer name Transport Layer Security, or TLS. TLS 1.0, implemented in 1999, is the standard security protocol for many thousands, if not millions, of websites.
Researchers Thai Duong and Juliano Rizzo, who presented their findings today (Sept. 23) at the Ekoparty security conference in Buenos Aires, Argentina, said they can decrypt SSL and TLS "cookies" — bits of text that identify users — and gain access to restricted accounts.
Duong and Rizzo call the software Browser Exploit Against SSL/TLS, or BEAST, and claim it can decrypt secure cookies in minutes. That’s especially noteworthy because some websites — for example, Google or Facebook — use cookies to keep you logged in even after you browse away from their pages.
A toothless BEAST?
Not everyone is convinced BEAST would work well, or pose much danger.
Moxie Marlinspike, co-founder of Whisper Systems, a company that provides Android security software, said he hasn't seen BEAST and as such can't say anything about that exploit specifically. But Duong and Rizzo have said it is for TLS 1.0, rather than the newer TLS 1.1.
TLS 1.1 is a more secure version of TLS that's been out since 2006, although right now only the Microsoft Internet Explorer 9 and Opera Web browsers support it. (They both also support TLS 1.2, introduced in 2008, while Apple Safari, Google Chrome and Mozilla Firefox are stuck on TLS 1.0.)
Despite that, Marlinspike pointed out that Google will soon be issuing a patch to Chrome that is only a few lines of code, and yet defeats BEAST without upgrading to TLS 1.1.
Not many websites actually use TLS 1.1, said Marsh Ray, a software developer at Phone Factor, a firm that provides security protocols. (Upgrading the entire Web to support TLS 1.1 or 1.2 would be a massive undertaking.)
Ray said he spoke to Rizzo and Duong about their work and saw many of the details. While he doesn’t see this exploit as evidence that SSL/TLS is "broken," he thinks it's important that vendors issue patches for their browsers.
Keeping it secret
The key thing about BEAST, Ray said, is that it implements a previously theoretical method of decrypting SSL traffic.
When encrypting data, SSL uses something called an "initialization vector," which mixes randomly chosen data into the plaintext before it is encrypted. That makes it more difficult for an attacker to crack the code, because even if a user sends the same data twice, the end result won't look the same.
Another feature of SSL is that it encrypts discrete data blocks of fixed length — and each block after the first one uses a piece of the previous block in the encrypted text. That prevents a block from being cracked on its own.
BEAST gets around this with a variation on the "man in the middle" attack. It inserts a piece of Java code into a browser, and tricks the browser into making a request of a server.
Since the attacker using BEAST knows what plaintext was sent, he can use that to guess at the contents of an encrypted cookie. The attacker then can deduce what the initialization vector is. This makes decryption of the user’s data — and the associated session token — much easier.
TLS 1.1 solves that problem by using a new initialization vector for each block of text. But TLS 1.0 does not have that feature.
Greg Bard, an associate professor at the University of Wisconsin-Stout, described a similar method of decrypting SSL cookies in 2006, though his treatment was more theoretical.
"There’s a lot of information in the metadata," Bard said.
Bard's method also can reduce the amount of guessing that needs to be done to retrieve the plaintext. Duong and Rizzo have simply brought his theoretical work to life, though they have declared that they arrived at their solution independently.
Methods of defanging
Ray said SSL/TLS is not insecure as a result of attacks such as this one.
"A lot of things still have to go right [for the attacker]," Ray said.
Patches can be issued by Safari and Firefox as well as Chrome, for example. In the meantime, there are some things website administrators can do to mitigate the problem.
One would involve changing the encryption protocol RC4, which has been widely used as a stream cipher, or one that encrypts one byte at a time rather than in discrete blocks. While RC4 has vulnerabilities, they are different and more complicated to exploit.
Neither Ray nor Marlinspike think SSL/TLS is going away, nor do they think it is insecure.
"It's a fundamentally good protocol," Ray said, noting that most attacks on SSL are not attacking the encryption itself but other steps in the connection process.
Marlinspike said a bigger problem with SSL/TLS is the way the system uses certificate authorities, little-known companies that issue the "certificates" that websites use to prove their identity to Web browsers.
In recent months, a single Iranian hacker has hacked into two different certificate authorities and issued phony certificates, which could be used by spies and criminals against webmail users and Internet shoppers.
Marlinspike suggested a certificate system in which browsers rely on several authorities, rather than just one at a time, to verify a website. The odds of more than one certificate authority being compromised at a time are remote.
Bard said that as an alternative, many servers might move to another protocol called identity-based encryption. In that scheme, a message that is tampered with will simply never get to the recipient.
"If someone begins to play with the [encryption] keys, the data goes to the wrong place," Bard said.
SSL/TLS "was designed by people without much experience in cryptography or security," Marlinspike said. “When it comes to secrecy and integrity, they did some things wrong."
But the age and longevity of SSL/TLS are a testament to its usefulness and durability, Marlinspike added.
"It’s endured fairly well over time," he said.