This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SSL inventor calls BEAST research 'technically clever but over-sold'

Share this article:
SSL inventor calls BEAST research 'technically clever but over-sold'
SSL inventor calls BEAST research 'technically clever but over-sold'

The recent research revealing vulnerabilities in the SSL/TLS code has been described as "technically clever" but "very over-sold".

Speaking with SC Magazine, Taher Elgamal, CSO at Axway and formerly the driving force behind the secure sockets layer (SSL) while at Netscape, said the Browser Exploit Against SSL/TLS code (BEAST) was "powerful more than necessary".

According to a report by The Register, research in 2004/5 by Thai Duong and Juliano Rizzo revealed a vulnerability that resides in versions 1.0 and earlier of TLS which allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

Using a piece of JavaScript with a network sniffer to decrypt cookies, Duong and Rizzo said they had figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPS prefix.

Elgamal said: “There are two issues here: TLS 1.1 does not have any vulnerabilities but no-one supports it; the other is, do you know what it takes to break in? This is an issue with the security market, as the attacker needs to create malware and target it; once in they feed it into the SSL channel; they read what is on the wire and feed a safe set of cookies, so that they can find what keys were used.

“If I can put malware on a machine, why should I real SSL? There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”

Looking at the BEAST paper, Elgamal said that it was "technically clever" and should be looked at, but it was "very over-sold" as the original paper was written a long time ago. “Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Police investigating after hacker steals 500,000 records from cosmetic surgery practice

Police investigating after hacker steals 500,000 records from ...

An unidentified hacker was able to access and exfiltrate almost half a million records on potential cosmetic surgery patients, it has been revealed.

Insider data thieves get away "scot free"

Insider data thieves get away "scot free"

Controls on access to data by both staff and ex-staff are lax, and even when caught, insiders stealing data get away 'scot-free' says new survey.

Government slated as Mumsnet becomes first UK Heartbleed victim

Government slated as Mumsnet becomes first UK Heartbleed ...

The Government's reaction to the 'Heartbleed' flaw has been criticised after the Mumsnet parenting site became the UK's first known victim of Heartbleed hackers.