SSL inventor calls BEAST research 'technically clever but over-sold'

News by Dan Raywood

The recent research revealing vulnerabilities in the SSL/TLS code has been described as "technically clever" but "very over-sold".

The recent research revealing vulnerabilities in the SSL/TLS code has been described as "technically clever" but "very over-sold".

Speaking with SC Magazine, Taher Elgamal, CSO at Axway and formerly the driving force behind the secure sockets layer (SSL) while at Netscape, said the Browser Exploit Against SSL/TLS code (BEAST) was "powerful more than necessary".

According to a report by The Register, research in 2004/5 by Thai Duong and Juliano Rizzo revealed a vulnerability that resides in versions 1.0 and earlier of TLS which allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

Using a piece of JavaScript with a network sniffer to decrypt cookies, Duong and Rizzo said they had figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPS prefix.

Elgamal said: “There are two issues here: TLS 1.1 does not have any vulnerabilities but no-one supports it; the other is, do you know what it takes to break in? This is an issue with the security market, as the attacker needs to create malware and target it; once in they feed it into the SSL channel; they read what is on the wire and feed a safe set of cookies, so that they can find what keys were used.

“If I can put malware on a machine, why should I real SSL? There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”

Looking at the BEAST paper, Elgamal said that it was "technically clever" and should be looked at, but it was "very over-sold" as the original paper was written a long time ago. “Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop