Hackers break SSL encryption used by millions of sites - Polidicks

[quote] Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Like a cryptographic Trojan horse The attack is the latest to expose serious fractures in the system that virtually all online entities use to protect data from being intercepted over insecure networks and to prove their website is authentic rather than an easily counterfeited impostor. Over the past few years, Moxie Marlinspike and other researchers have documented ways of obtaining digital certificates that trick the system into validating sites that can't be trusted. Earlier this month, attackers obtained digital credentials for Google.com and at least a dozen other sites after breaching the security of disgraced certificate authority DigiNotar. The forgeries were then used to spy on people in Iran accessing protected GMail servers. By contrast, Duong and Rizzo say they've figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPs prefix. “BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.” Duong and Rizzo are the same researchers who last year released a point-and-click tool that exposes encrypted data and executes arbitrary code on websites that use a widely used development framework. The underlying “cryptographic padding oracle” exploited in that attack isn't an issue in their current research. Instead, BEAST carries out what's known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks. If the attacker's guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext. At the moment, BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo's claim that this time can be drastically shortened. In an email sent shortly after this article was published, Rizzo said refinements made over the past few days have reduced the time required to under 10 minutes. “BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it's a legitimate threat.”[/quote] [url]http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/[/url] [img]http://cdn1.sbnation.com/fan_shot_images/205505/oh-noes-everybody-panic.gif[/img]

[quote]At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.[/quote] And then they will fix the code.

Why can't they just leave shit be for fucks sake.

Loved the name BEAST.

Fucking Javascript fucking shit up again.

[QUOTE=MightyMax;32392815]Why can't they just leave shit be for fucks sake.[/QUOTE] Because this is how algorithms and encryption evolves. Be happy white hatters found it and not someone with malicious intentions.

[QUOTE=MightyMax;32392815]Why can't they just leave shit be for fucks sake.[/QUOTE] yea man these guys need to be put in prison for this how dare they break this shit and then have the audacity to tell the rest of the world which is full of other hackers ready to exploit it

[QUOTE=Elizer;32392797]And then they will fix the code.[/QUOTE] they already have

I was going to rage at this until I saw it was found by whitehats.

wait why would whitehats release the code to essentially hack susceptible websites? [editline]20th September 2011[/editline] i mean i know they are whitehats but why release it to the world?

It's a loophole in the code itself, not the method. [quote]“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,”[/quote] If they did manage to bypass the SSL algorithm it would not only be a huge announcement decryption wise, but for mathematics as well. Finding large prime numbers with ease is a task not exactly feasible for today's mathematicians.

If this is true, then it's massive. They would have discovered a way to directly break SSL encryption, used by millions of sites, by exploiting algorithm weakness(es). Not an implementation weakness that can be summarily fixed by a patch, and not some Iranian l33t h4Xx0r breaking into incompetent CAs. This could be the real thing. Imagine banks, NGOs, corporations and private individuals all around the internet suddenly having to deal with a major IT security crisis. [img]http://gnarld.com/wp-content/uploads/2011/07/Micheal-Jackson-Thriller-Popcorn-Animated.gif[/img]

[QUOTE=MightyMax;32392815]Why can't they just leave shit be for fucks sake.[/QUOTE] It is how you make things more secure. Like for example the massive vulnerability in the way DNS works, if it hadn't been for a security researcher poking around out of boredom someone who wanted to use it for malicious purposes could have found it. [editline]20th September 2011[/editline] [QUOTE=xxncxx;32393478]wait why would whitehats release the code to essentially hack susceptible websites? [editline]20th September 2011[/editline] i mean i know they are whitehats but why release it to the world?[/QUOTE] Most (all?) whitehats believe in full disclosure, if its out there it [B]has[/B] to be fixed.

[QUOTE=Sir Whoopsalot;32393425]I was going to rage at this until I saw it was found by whitehats.[/QUOTE] If Blackhats had found the exploit first (they might have done), we wouldn't know as most Blackhats don't go waving the exploit around, you can't use an exploit if it's known as it would be fixed before you could have any "fun".

Too bad there were bribed SSL certificates all the time.

And now that it's out there and known to everyone, it will be quickly fixed. Better to hear about it from some white hats than to find out when everyone's Paypal accounts get raided.

IF the browser supported version 1.2 of TLS then we wouldn't have this problem affecting too many people. Though nice that the white hats found it first then released it to the world.

I love whitehats. Honestly, whitehat hackers make me feel incredibly safe, because when I read an article about an exploit that whitehats have discovered and released to the public, then I know that the parties involved will most probably scramble to fix the exploit as fast as humanly possible. If a greyhat or a blackhat had found the exploit, it would most probably stay under the radar for [b]months[/b], being traded amongst underground sites, and the blackhats and greyhats would be able to sit and prey on hapless victims, with the parties involved most likely not even aware that such an exploit exists. Whitehats, I love you. :love:

[QUOTE=Gmod4ever;32405480]I love whitehats. Honestly, whitehat hackers make me feel incredibly safe, because when I read an article about an exploit that whitehats have discovered and released to the public, then I know that the parties involved will most probably scramble to fix the exploit as fast as humanly possible. If a greyhat or a blackhat had found the exploit, it would most probably stay under the radar for [b]months[/b], being traded amongst underground sites, and the blackhats and greyhats would be able to sit and prey on hapless victims, with the parties involved most likely not even aware that such an exploit exists. Whitehats, I love you. :love:[/QUOTE] Grey Hats tend to not give a damn, they're more busy with torrents, no-cd cracks, keygens and the like.

[QUOTE=MightyMax;32392815]Why can't they just leave shit be for fucks sake.[/QUOTE] Think about it, if holes like this weren't discovered then they would be left open.

Well this isn't good. But it'll make for a more secure experience down the road, so hack on brothers.

[QUOTE=Sir Whoopsalot;32393425]I was going to rage at this until I saw it was found by whitehats.[/QUOTE] Maybe hackers with malicious intentions already knew about it Think about it- it's not as if they are going to go screaming to the world they have found a major flaw in the most common security are they? No, they will silently exploit it

Uhhh... why does nobody support TLS 1.1 or 1.2? They were developed for a reason. Stop being fuck wits and stop using TLS 1.0.

javascript is of the devil

[QUOTE=Primus;32408762]javascript is of the devil[/QUOTE] And your idea to fix the problem is? I like to point out that java script plays a huge role in web 2.0

I honestly don't care who did it. I'd rather have people break security so that we get better security than use the same shitty old security and one day in the futre all be surprised when shit hits the fan.

[QUOTE=MightyMax;32392815]Why can't they just leave shit be for fucks sake.[/QUOTE] Imagine a giant keg of beer made from wooden planks. There's a shitton of beer inside it, and everyone gets some from the tap on the front. Everybody is happy because they get beer. But one of the planks making up the barrel is weak, and can be pulled away! A group of whitehat barrelhackers discover how one can easily break the barrel and send the beer spilling everywhere. They make a big deal out of it and go around telling everybody how to break the barrel and ruin the beer for everybody else. The guy who owns the beer barrel is like "oh fuck my beer!" and fixes the weak plank. All the other guys who own barrels of beer learn from his mistake and make sure their barrels don't have weak planks as well. If the whitehat barrelhacks don't discover and publicize the weak plank, nobody would ever know to fix it. One day, blackhat barrelhackers might discover the exploit and not tell anybody, instead going around and spilling all the beer because they're assholes. In the end, nobody gets any beer and the guy who owns the beer barrel is sad because he no longer owns any beer. Which is why whitehats are good. They make sure we can keep drinking our beer.

[QUOTE=AzureAngelic;32409990]Imagine a giant keg of beer made from wooden planks. There's a shitton of beer inside it, and everyone gets some from the tap on the front. Everybody is happy because they get beer. But one of the planks making up the barrel is weak, and can be pulled away! A group of whitehat barrelhackers discover how one can easily break the barrel and send the beer spilling everywhere. They make a big deal out of it and go around telling everybody how to break the barrel and ruin the beer for everybody else. The guy who owns the beer barrel is like "oh fuck my beer!" and fixes the weak plank. All the other guys who own barrels of beer learn from his mistake and make sure their barrels don't have weak planks as well. If the whitehat barrelhacks don't discover and publicize the weak plank, nobody would ever know to fix it. One day, blackhat barrelhackers might discover the exploit and not tell anybody, instead going around and spilling all the beer because they're assholes. In the end, nobody gets any beer and the guy who owns the beer barrel is sad because he no longer owns any beer. Which is why whitehats are good. They make sure we can keep drinking our beer.[/QUOTE] agree x10000 pretty much sums it up, better that this was discovered by a bunch of people who publicized it than some Dr. Evil who would use it to siphon off a lot of money before he got caught.