Fresh Off The Block


Sep
23
2011

All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)

The following post was originally published by Ashraf, founder of dotTech.org, on the dotTech website. It has been reprinted here – with only minor edits as required for compatibility with the software used by Technically Motivated – under the terms of the Creative Commons Attribution-Noncommercial licence – the licence attached to the original work at the time of our redistribution. Technically Motivated make no claim of ownership to the below content nor make any guarantee for its validity or accuracy.

A pair of security researchers claim to have written a JavaScript tool, named Browser Exploit Against SSL/TLS or BEAST, that allows them to access the information being passed behind SSL/TLS encryption. Yeah, you read that properly. These two geeks claim they have the ability to crack HTTPS.

Without going into too many technical details (because, well, I myself don't understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST "cracks HTTPS" using a two step process. The first step involves sniffing network to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.

BEAST uses JavaScript to do all its evil stuffs, so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code. Original estimates said it takes about a half-hour to break content encrypted with 1,000 character long keys, but some refinement of the code by the researchers have that time estimate down to ten minutes. Ten freaking minutes.

Read the rest of this entry »