‘Browser Exploit Against SSL/TLS’ or also known as BEAST is becoming the hot topic today as this toolkit is able to break web browser’s SSL encryption. We always taught the end users where for you to have a strong security, you should always enable the SSL or the HTTPS connection.
The outcome is to get the known plaintext and the encrypted plaintext so that the attacker can use them to run some cryptanalysis tool. For a session cookie which is as long as 1000-2000 characters like Paypal’s cookie, it only takes half an hour to break.
With the ability of BEAST breaking the SSL encryption, some of us might start to think that it is the end of the world if the hacker happened to target you as the victim. Well, it is quite true but not entirely.
I believe everything in IT is pretty possible. As a result, creating a technology is as possible as hacking a technology back. In another phrase, it is possible to engineer something out and reverse-engineer it back.
If you will be able to make the hacker thinks that the duration of breaking your security is long and complicated enough, then he will not do it on you as it is not worth the hack. Here are some of the things that you might want to know to prevent BEAST from attacking you.
What can you do against BEAST?
- Don’t spend too much time on a SSL encrypted session. BEAST makes use of your session cookies to make the security nut cracks. The hacking part will not work anymore as long as you are logout from the session. As result, keeping it short can help to fight against BEAST.
- Logout when you leave the SSL encrypted session. Don’t just close your web browser. Click the logout button or link first. It is best after performing some critical transaction, clear your privacy material such as cookies, histories, and cache. This can be done in just one single click at your web browser.
- Patch your software, web browser and operating system. In order for BEAST to work in an efficient way, it will make use of your vulnerabilities. Patch everything to the latest one so that you don’t leave a hole for them to sneak in.
Security experts do believe that end users like us are not able to completely fix BEAST. It relies on the web administrator and below is what you can do as a web administrator.
What can web administrator do against BEAST?
- Ensure the logout function works. It is important that the secure server recognized the logout function well. Any transaction that is done after the user logout should not be a valid one anymore.
- Binding the IP Address to the cookie. Whenever the connection is established, it is good to bind the IP address to the cookie. This might not stop the problem, but at least it is a step to make the hack longer.
- Get rid of TLS 1.0. We know BEAST only work against TLS 1.0 or below. However, the effort to use TLS 1.2 is pretty tough. Not all web servers can support. On top of that, only Internet Explorer 9 and Opera 10 are able to support the new TLS. As a result, your application might lose the market in Firefox and Chrome. Using TLS 1.2 is tough now, and not recommended to make the switch unless it is necessary with well-planned steps.