-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2011-0005

Title: Background information about the recent "BEAST attack on SSL / TLS"

Version history:
27.09.2011 Initial publication
27.09.2011 Link to Microsoft Security Advisory (2588513) added
12.01.2012 Link to Microsoft Bulletin and patch notification added[9]

Summary
=======
Two security researchers demonstrated[1] an attack against encrypted SSL and
TLS "cookies", which sometimes store credentials (for example, Google or
Facebook) to keep a user logged in.

The attack received a lot of media attention. This advisory aims at explaining
what a potential attacker would need to do for a successful attack, and what
can/must be done to mitigate it.

Potential impact
================
The attack allows an attacker to decrypt parts of the cookie that identify the
user and, as a consequence, gain access to restricted accounts (Paypal was
used as an example). The attack was carried out by a tool called BEAST, which
is, at the time of this writing, not publicly available.


Quick background of the vulnerability
=====================================
The flaw used in the proof of concept has been known for almost 10 years[3]
and was described in detail by two papers from Gregory V. Bard [4]. It affects
SSL 2.0, SSL 3.0 and TLS 1.0 ciphers that use the Cipher Block Chaining (CBC)
mode, including popular ones like AES and Triple-DES encryption methods.

This vulnerability was already addressed in 2006 in TLS 1.1[5], but libraries
in most popular products still use the 1.0 version of the protocol for
compatibility reasons. Some web browsers even still support the 12-year-old
SSL 3.0 specification in addition to TLS, which is also vulnerable.

Note SSL 2.0 is as well vulnerable but this version should not be used anymore
and therefore should already be disabled in your environment.


Mitigating factors
==================
* the attacker needs to be in the same (physical) network, which make public
WLANs more susceptible for attacks,
* the attacker needs to become a "man-in-the-middle"[2] to intercept the
victim's connection to the server and communicate with it in the victim's
Context,
* both browser of the vicitm and server must use TLS in versions below 1.1


What can you do?
================
The attack is not theoretical any more, however it needs a sophisticated
attacker in a (high-bandwidth) man-in-the-middle position to carry out the
attack.

As much as possible, make your users aware of the dangers (see below) and
deploy web browsers in your institutions that support at least TLS 1.1.

If you run web-based services in your institution that makes use of SSL/TLS
and you are not able to upgrade the system(s), some security researcher
recommend (as a workaround) to switch to a non-CBC based cipher like RC4 as
preferred cipher and ensure that the server's preference is honoured instead
of client's one[6].
Urge (if appropriate) the suppliers of web-based services to upgrade their
servers to TLS 1.1 or TLS 1.2.

For an overview of which product uses what library version, please refer
to[7].

Microsoft issued a security advisory, including more information on
workaround and mitigation for their products.[8]

NEW In the patch round of January 2012 Microsoft published a patch the should 
remove the vulnerability in MS products.[9]


What to tell your users?
========================
Normal security good practices apply. Especially tell your users not to use
restricted accounts (like eBanking sites, shopping sites, etc.) in public
networks or (if possible) in networks to which other (unknown) users may
connect.


More information
================
[1] http://www.ekoparty.org/2011/juliano-rizzo.php
[2] Wikipedia background article
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
[3] First posing on openssl-dev
http://www.mail-archive.com/openssl-dev@openssl.org/msg10664.html
[4] Papers by Gregory V. Bard http://eprint.iacr.org/2004/111.pdf
http://eprint.iacr.org/2006/136.pdf
[5] RFC4346 TLS 1.1 http://tools.ietf.org/html/rfc4346
[6] Slaying the BEAST: Mitigating ...
http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php
[7] SSL/TLS Hardening and compatibility report 2011
http://blog.g-sec.lu/2011/09/ssltls-hardening-and-compatibility.html
[8] Microsoft Security Advisory (2588513)
https://technet.microsoft.com/en-us/security/advisory/2588513
[9] Microsoft Security Bulletin Summary for January 2012
http://technet.microsoft.com/en-us/security/bulletin/ms12-jan
-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJPDquFOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NLVQ//Xvz3xiPv
VlEG2FqfiFWLXgWddAMlVJPnEND6flr0QrEcy7IovkDrThyu26RiZ235WwrJXGvb
x+5n3z/FZ2uXKGAvtcS7H4jvPCq2FUc7J66dAbbxa5hYA4CWV0u6MSvwFvSZyrU+
LzJAfeYuQ2WqedfdMSz7WcMaytBSu2n2vpv2urWcXGvq9IR2HktiFoTLX4w4zhHC
CZdP4GFxGT5dnyyOxISlqa71qw6a4wcue2W26+zD2gRPdzU7gVLYCyRywalRZBd7
6s3K5LtT4kBTqfHF4MPVsSODmX4pdP1doTn9rCc4MeYSA/vJ4J1GUX5ZJ43yHnKo
j145bRqOSDL1a0Es7fJu+d3mRI35Y5+FGmeYKiBJzjAdrHDRA9tjAlzWdoqL/QJb
SZPvu48mSdHfMuRidyK5FdlfXgAn4op7qvNvQW7Y5JfT6VZnFVZVB8PX4VOGFv32
LstpEjPVIRIWChF3O6VxbVeJmHdaWJt3FvM0KFdKSeDYOq4u41MM8FW4QjaMtwOE
oyodh2VNO++pooUsr1RGcYoBsl+Pt8XXZ9sfR94f8/UTEwr8VJWae4xJJ1EZWEW7
MYPOColIeo0om1sjY00BWo6s1o9dRREUlXVrspqV3krNug7ZqZHdUXQ/GcqpHX3r
W5kztcEczjAhX51KGvu7NTlODdOsLBCZpts=
=az0c
-----END PGP SIGNATURE-----