BEAST creators develop new SSL attack
Security researchers Juliano Rizzo and Thai Duong – who released details of an attack on SSL/TLS last year, along with a tool called BEAST – are preparing to present a new attack on SSL/TLS at the Ekoparty Security Conference in Argentina later this month, according to Threatpost. The new attack has been given the name CRIME by the researchers.
The cipher suite doesn't matter, say the researchers, noting that one workaround for BEAST attacks was to switch from AES to RC4, but for CRIME that isn't important. The feature that CRIME is leveraging for its attack has, they say, not been a major subject for security research in the past, but for the attack to work it must be supported at the client and server.
Both Mozilla's Firefox and Google's Chrome web browsers are vulnerable to the attack, but the researchers say that both vendors have patches created to fix the problem that will be available in a few weeks.
Although risks around implementing the feature have been "superficially discussed," the researchers say they haven't found any research showing how efficient an attack could be. Conventional attacks against SSL connections almost always run as an SSL man-in-the-middle where the attacker tries to offer fake certificates to his victim to break the encrypted end-to-end connection. This was not the case with BEAST (Browser Exploit Against SSL/TLS); in that case it succeeded by using special tricks to crack the encryption from within the victim's browser. It could extract cookies and decrypt cookies for PayPal in under ten minutes. CRIME is expected to follow in these pioneering footsteps.