Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSL/TLS Vulnerability Details to be Released Friday

Published: 2011-09-20
Last Updated: 2011-09-20 15:18:13 UTC
by Kevin Liston (Version: 2)
13 comment(s)

I'm getting a lot of emails asking about articles that ultimately reference this upcoming talk: "BEAST: Surprising crypto attack against HTTPS" (http://ekoparty.org/2011/juliano-rizzo.php)

I don't have any extra details.  Anything that I write now will be unnecessary speculation.  It sounds like it will be interesting; their presentation last year on Padded Oracle Attacks (the crypto Oracle, not the database) certainly was.

 UPDATE: Dr J links us to "A CHALLENGING BUT FEASIBLE BLOCKWISE-ADAPTIVE
CHOSEN-PLAINTEXT ATTACK ON SSL
" that may describe the attack.  This attack requires that the attacker be able to sniff the traffic and run code on the victims machine to inject the chosen-plaintext into the stream. 

My recommendation is still to wait until we see the details before formulating a response, but sight-unseen the following steps couldn't hurt:

  1. Users: Don't bank using someone else's wifi.
  2. Browser Authors: Update to support TLS 1.2
  3. Servers Admins: Configure to support TLS 1.2
Keywords: TLS
13 comment(s)
Diary Archives