The recent research revealing vulnerabilities in the SSL/TLS code has been described as "technically clever" but "very over-sold".
Speaking with SC Magazine, Taher Elgamal, CSO at Axway and formerly the driving force behind the secure sockets layer (SSL) while at Netscape, said the Browser Exploit Against SSL/TLS code (BEAST) was "powerful more than necessary".
According to a report by The Register, research in 2004/5 by Thai Duong and Juliano Rizzo revealed a vulnerability that resides in versions 1.0 and earlier of TLS which allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.
Elgamal said: “There are two issues here: TLS 1.1 does not have any vulnerabilities but no-one supports it; the other is, do you know what it takes to break in? This is an issue with the security market, as the attacker needs to create malware and target it; once in they feed it into the SSL channel; they read what is on the wire and feed a safe set of cookies, so that they can find what keys were used.
“If I can put malware on a machine, why should I real SSL? There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”
Looking at the BEAST paper, Elgamal said that it was "technically clever" and should be looked at, but it was "very over-sold" as the original paper was written a long time ago. “Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.