SSL creator slays BEAST

By on
SSL creator slays BEAST

Hackers have "better things to do".

The inventor of SSL has labelled recent research into vulnerabilities in the SSL/TLS code as "over-sold".

The former secure sockets layer (SSL) champion at Netscape, Taher Elgamal, said the Browser Exploit Against SSL/TLS code (BEAST) was "powerful more than necessary".

Researchers Thai Duong and Juliano Rizzo revealed a vulnerability in versions 1.0 and earlier of TLS which allowed attackers to silently decrypt data that passed between a webserver and an end-user browser.

Duong and Rizzo had defeated SSL by breaking the underlying encryption it used to prevent sensitive data from being intercepted. They had used a JavaScript application and network sniffer to decrypt cookies.

But Elgamal said attackers would have "better things to do" than copy the exploit.

“If I can put malware on a machine, why should I read SSL?," he said.

"There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”

Elgamal said the exploit was "technically clever" but it was "very over-sold".

“Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.

He said the unaffected TLS version 1.1 needs to be adopted by more users.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?