![\"DangerWillRobinson\"](\"http:\/\/hidefideas.com\/blog\/wp-content\/uploads\/2016\/03\/dangerwillrobinson.jpg\")
In a world where the only thing standing between us and the spammers, phishers and hackers is a little piece of tunneling security that keeps IT admins dreaming about warm and snuggly things, the idea of that security being breached is a beastly demon no one could have envisioned. Unfortunately, the pleasant dreams are over and the BEAST is a nightmare that will rock the Internet world, and warm milk ain\u2019t gonna fix this one, folks.<\/p>\n
When I go to sleep at night, I do it with the comforting belief that when I awake in the morning and put my feet on the floor, there will be a floor underneath me. In much the same way, I traverse the web knowing full-well that my surfing habits, private information and transactions are snugly tucked away inside a warm blanket of encryption known as SSL\/TLS. So when the floor gets yanked out from underneath my feet, you can understand how I might get a little pissed off. And that\u2019s exactly how I felt this morning when I discovered that the floor that protected me from the creeps has begun to sway, as if I had just spent Saturday night at the pub and the floor wasn\u2019t particularly happy about it.<\/p>\n
If you want to share the experience, look no further than The Register<\/em>, which is reporting<\/a> that at the Ekoparty security conference<\/a> in Buenos Aires last week, researchers Thai Duong and Juliano Rizzo unveiled their work \u2013 BEAST, short for Browser Exploit Against SSL\/TLS \u2013 which attacks TLS and SSL, the protocols that heretofore kept us warm at night. BEAST is a nifty piece of JavaScript that works alongside a network sniffer to decrypt user account cookies and gain access to restricted user accounts. Yes, you heard it right.<\/p>\n Duong and Rizzo made news last year when they unveiled a point-and-click tool<\/a> that exposes private information and executes arbitrary code. According to Duong, the demo decrypted an authentication cookie used to access a PayPal account. The exploit of SSL and TLS is not a new idea, actually, since the idea was conceived back in 2002<\/a>; but for years it\u2019s been considered theoretical at best \u2013 until now, that is. Duong noted in an email published by The Register<\/em> that \u201cBEAST is different than most published attacks against HTTPS. While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.\u201d<\/p>\n In case you\u2019re wondering how many canned goods you have in the pantry, worry not: it\u2019s not yet time to strip naked and run through the streets proclaiming the end of the world. \u201cThe vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust,\u201d The Register<\/em> reports.<\/p>\n It\u2019s not all good news, though. \u201cAlthough versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.\u201d<\/p>\n Furthermore, independent security analyst Trevor Perrin writes, \u201cBEAST is like a cryptographic Trojan horse \u2013 an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection. If the attack works as quickly and widely as [Duong and Rizzo] claim, it’s a legitimate threat.\u201d<\/p>\n Note: <\/strong>Those who run a web server and who may be concerned about security should modify the servers to favor the rc4-sha cipher, which is widely supported and not vulnerable to the attack unveiled by Duong and Rizzo.<\/p>\nSing Along: It\u2019s the End of the World as We Know it
\n\u2026Or is it?<\/strong><\/h2>\nTime to Call Some People Out<\/strong><\/h2>\n