The attack breaks the confidentiality model of the protocol and is the first known exploitation of a long-known flaw in TLS, potentially affecting the security of transactions on millions of sites.
In order to execute their attack, Rizzo and Duong use BEAST (Browser Exploit Against SSL/TLS) against a victim who is on a network on which they have a man-in-the-middle position.
It looks as though this requires loading Javascript into the clients browser while they are on the encrypted site. How does that happen?
As far as I can see, the solution is to not open encrypted and unencrypted connections in the same browser at the same time.
aspdaddy
3:12 pm on Sep 20, 2011 (gmt 0)
Silly question but does this affect SSL ciphers using keys of 128 bits or more?
It looks like it only works when the users network has already been compromised by man-in-the-middle, so they have a lot more to worry about than TLS flaws!
