Late last month we reported on the vulnerability in TLS 1.0 in Keep Calm and Carry On and over at our sister blog AllSpammedUp.com in “Holy [Insert Expletive Here]! Et Tu, SSL?”. Security researchers Thai Duong and Juliano Rizzo developed an application, called the BEAST which demonstrated the ability to capture authentication cookies protected in transit using TLS 1.0. BEAST, which stands for Browser Exploit Against SSL/TLS, was demonstrated by the pair at the Ekoparty Security Conference, and apparently caught the attention of several vendors since the vulnerability that BEAST exploits has been known for years. Remember, we care about this both because webmail uses HTTPS, and many of our email protocols can be secured with TLS 1.0. BEAST may only attack web browser traffic today, but the flaw is in TLS, which means it affects everything that uses TLS.
TLS 1.0 is broken; there is not a patch to fix its flaw. The best remediation is to stop using it, and to start using its more secure successors in the .1 or .2 version, but with so many incompatibilities in browser and webserver, this is easier said than done. The response from vendors has been mixed, with no clear and comprehensive fix in place yet, but here is what we’ve learned so far*.
Microsoft released Security Advisory 2588513 and has announced that they are working on an update that will disable TLS 1.0 in client operating systems, and enable 1.1 and 1.2. This can be done now manually, but may be beyond the typical home user and significant work for corporations with thousands of PCs. By making these changes in the operating system (instead of in Internet Explorer) any browser will be protected. They have also published a blog post that details how Windows admins can set TLS 1.0 to favour the RC4 cipher over the vulnerable CBC cipher in TLS 1.0. While not disabling the vulnerable cipher completely, this will protect the majority of clients, most of which will support this encryption suite. They also have automated ‘Fix it’s on that blog post, and a link to deploying this through a GPO.
Google’s current version of Chrome does not support TLS 1.1 or 1.2, but the company has released both a dev and a beta version of their Chrome web browser designed to circumvent the vulnerability in TLS 1.0. It is likely this will move to the general release soon.
Opera started to implement only TLS 1.1 and 1.2 in the latest release of their browser, only to find that it was incompatible with thousands of websites that can only use TLS 1.0. In a blog post they have shared the efforts that they are taking to find an appropriate work around that doesn’t require changes to websites, or that introduces incompatibilities with them.
As the parent company of Verisign, one of the largest Certificate Authorities, Symantec is looking at ways they can leverage their leadership in the market to encourage other vendors to respond.
It appears that at this time, there is no easy way to fix this problem, but again, take heart in the following.
BEAST is proof of concept code; there is no indication that there is currently any “in the wild” attack that takes advantage of the vulnerability in TLS 1.0 using CBC.
Closing all browser sessions before opening a new browser to access a secure website directly, and the closing that browser before accessing any other sites with another fresh browser session, is an effective protection.
We will continue to monitor developments and will post another article on this issue if anything significant is announced.
*Apple’s support site was down at the time this post was written, and I could find nothing specific elsewhere to indicate anything is being done around Safari or iTunes.