This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SSL inventor calls BEAST research 'technically clever but over-sold'

Share this article:
SSL inventor calls BEAST research 'technically clever but over-sold'
SSL inventor calls BEAST research 'technically clever but over-sold'

The recent research revealing vulnerabilities in the SSL/TLS code has been described as "technically clever" but "very over-sold".

Speaking with SC Magazine, Taher Elgamal, CSO at Axway and formerly the driving force behind the secure sockets layer (SSL) while at Netscape, said the Browser Exploit Against SSL/TLS code (BEAST) was "powerful more than necessary".

According to a report by The Register, research in 2004/5 by Thai Duong and Juliano Rizzo revealed a vulnerability that resides in versions 1.0 and earlier of TLS which allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

Using a piece of JavaScript with a network sniffer to decrypt cookies, Duong and Rizzo said they had figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPS prefix.

Elgamal said: “There are two issues here: TLS 1.1 does not have any vulnerabilities but no-one supports it; the other is, do you know what it takes to break in? This is an issue with the security market, as the attacker needs to create malware and target it; once in they feed it into the SSL channel; they read what is on the wire and feed a safe set of cookies, so that they can find what keys were used.

“If I can put malware on a machine, why should I real SSL? There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”

Looking at the BEAST paper, Elgamal said that it was "technically clever" and should be looked at, but it was "very over-sold" as the original paper was written a long time ago. “Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...