SSL inventor calls BEAST research 'technically clever but over-sold'

Share this article:
SSL inventor calls BEAST research 'technically clever but over-sold'
SSL inventor calls BEAST research 'technically clever but over-sold'

The recent research revealing vulnerabilities in the SSL/TLS code has been described as "technically clever" but "very over-sold".

Speaking with SC Magazine, Taher Elgamal, CSO at Axway and formerly the driving force behind the secure sockets layer (SSL) while at Netscape, said the Browser Exploit Against SSL/TLS code (BEAST) was "powerful more than necessary".

According to a report by The Register, research in 2004/5 by Thai Duong and Juliano Rizzo revealed a vulnerability that resides in versions 1.0 and earlier of TLS which allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

Using a piece of JavaScript with a network sniffer to decrypt cookies, Duong and Rizzo said they had figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPS prefix.

Elgamal said: “There are two issues here: TLS 1.1 does not have any vulnerabilities but no-one supports it; the other is, do you know what it takes to break in? This is an issue with the security market, as the attacker needs to create malware and target it; once in they feed it into the SSL channel; they read what is on the wire and feed a safe set of cookies, so that they can find what keys were used.

“If I can put malware on a machine, why should I real SSL? There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”

Looking at the BEAST paper, Elgamal said that it was "technically clever" and should be looked at, but it was "very over-sold" as the original paper was written a long time ago. “Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more