New BEAST exploit on browsers - High-Def Digest Forums
Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 09-22-2011, 06:24 PM
Snadinator's Avatar
Senior Member
Thread Starter
 
Join Date: Dec 2007
Posts: 19,563
Default New BEAST exploit on browsers

BEAST stands for Browser Exploit attack on SSL/TLS

SSL and TLS are the technologies that secure your connection to a web server by using Public Key Infrastructure, which is a form of asymmetric encryption. Many still call it SSL even though TLS is the right name and the most recent version of TLS is 1.2.

The BEAST can exploit TLS 1.0 and decrypt data. This is particularily worrysome for day to day sites we like to trust such as Paypal.

BEAST has to be installed through some javascript. Good idea to turn iFrame's to prompt at the very least.

in IE: Tools -> Options -> Security tab -> Custom Level -> Scroll to "Launching programs in an IFRAME" and select "Prompt", if not already done so.

Also, disabling everything but TLS 1.1 and 1.2 from your browser is a surefire way to avoid this issue because when a web server negotiates with your browser on what to use, if your client side browser only accepts TLS 1.1 and 1.2 handshake, you won't be exposed to this issue. However, if the web server does not support TLS 1.1 or higher, you will not be able to make the secure connection.

In IE, to disable all but TLS 1.1 and 1.2, go to Tools-> Options-> Advanced tab -> and under Security, manually disable SSL 2.0, SSL 3.0 and TLS 1.0.
Reply With Quote
  #2  
Old 09-22-2011, 06:35 PM
paaron46's Avatar
Senior Member
 
Join Date: May 2009
Posts: 3,788
Default

What about Firefox?
__________________
Become a FAN of The Reel Place!

Twitter: @AaronPeck
Reply With Quote
  #3  
Old 09-22-2011, 10:42 PM
RM's Avatar
RM RM is offline
Senior Member
 
Join Date: Jun 2007
Posts: 12,430
Default

Quote:
Originally Posted by paaron46 View Post
What about Firefox?
Quote:
A quick review of Mozilla's developer website showed no signs that a similar fix is being planned for the Firefox browser.
Source is from 09-21-11 - yesterday.

http://www.theregister.co.uk/2011/09...tch_for_beast/
Reply With Quote
  #4  
Old 09-22-2011, 11:30 PM
Snadinator's Avatar
Senior Member
Thread Starter
 
Join Date: Dec 2007
Posts: 19,563
Default

I imagine the latest version of mozilla also supports TLS 1.1 & 1.2. On my upas right now so I can't check. You just want to disable SSL ver 2.0 & 3.0 as well as TLS 1.0.

[Edit] no only IE9 has TLS 1.1 and 1.2[Edit]

Last edited by Snadinator; 09-23-2011 at 08:49 PM.
Reply With Quote
  #5  
Old 09-22-2011, 11:33 PM
Snadinator's Avatar
Senior Member
Thread Starter
 
Join Date: Dec 2007
Posts: 19,563
Default

I meant on my iPod touch. Damn this small keyboard
Reply With Quote
  #6  
Old 09-23-2011, 05:02 PM
twonunpackmule's Avatar
Moderator
 
Join Date: May 2007
Posts: 32,867
Default

Quote:
Originally Posted by Snadinator View Post
I imagine the latest version of mozilla also supports TLS 1.1 & 1.2. On my upas right now so I can't check. You just want to disable SSL ver 2.0 & 3.0 as well as TLS 1.0.
Firefox has TLS 1.0 and SSL 3.0.

---

Aaron, go to Advanced, then to encryption, then disable the protocols.
__________________
PSN/Live - Twonunpackmule
3DS - 0817 - 4464 - 1180

Any game that features paid loot boxes should be rated AO.
Reply With Quote
  #7  
Old 09-23-2011, 08:40 PM
Snadinator's Avatar
Senior Member
Thread Starter
 
Join Date: Dec 2007
Posts: 19,563
Default

Quote:
Originally Posted by twonunpackmule View Post
Firefox has TLS 1.0 and SSL 3.0.

---

Aaron, go to Advanced, then to encryption, then disable the protocols.
It looks like right now the only browser that supports TLS 1.1 and 1.2 is IE9. Ridiculous if you ask me. If you disable SSL 3.0 and TLS 1.0 in Firefox, then you won't be able to handshake with a web server that is secured through a web certificate at all.

Ever since IE8 I have left other browsers and I'm glad I did.
Reply With Quote
  #8  
Old 09-23-2011, 08:48 PM
Snadinator's Avatar
Senior Member
Thread Starter
 
Join Date: Dec 2007
Posts: 19,563
Default

Anyhow, not much anyone can do right now as most major sites like paypal only support TLS 1.0 and lower. The lazy bastards are getting their just deserve as TLS 1.2 has been about for quite awhile now. If you use IE and disable all but TLS 1.1 and 1.2, you can't even access paypal as it cannot handshake. Methinks some of these guys are going to be putting in the long hours to fix their web servers.

The whole of the internet needs to wake up and get pro-active about IT Security. It's a big fucking joke. They avoid it because of a short sighted approach that it doesn't co-relate to the bottom line... more money spent in security doesn't yield more income. The problem is that you can loose significant income and be liable to lawsuits if you don't take the proactive approach and protect your customers.

My suggestion is to just make sure you have IFrame set to prompt as those can use cross site scripting to install malicious software on your PC, including the javascript required for BEAST.

Last edited by Snadinator; 09-23-2011 at 09:04 PM.
Reply With Quote
  #9  
Old 09-24-2011, 02:09 AM
cardpetree's Avatar
Senior Member
 
Join Date: May 2007
Posts: 2,162
Default

I don't even know what any of this shit means but I just did it.

Edit:

Quote:
Originally Posted by twonunpackmule View Post
Firefox has TLS 1.0 and SSL 3.0.

---

Aaron, go to Advanced, then to encryption, then disable the protocols.
wasn't able to get on facebook when I did this.
Reply With Quote
  #10  
Old 09-24-2011, 02:49 AM
cardpetree's Avatar
Senior Member
 
Join Date: May 2007
Posts: 2,162
Default

Question: I've been using Firefox and even though I've got pop ups blocked, I still get one annoying pop up when I go to like every other page. How do I fix that?
Reply With Quote
Reply

Related Topics
Thread Thread Starter Forum Replies Last Post
FS Beauty and the Beast (disney), 2 pairs of new Samsung 3d glasses (cheap) RandomHero918 Blu-ray Disc Exchange 0 09-24-2011 05:23 PM
Fable 2 pub games exploit. KTA Game Room 24 09-17-2008 11:59 AM
Warning: VGChartz website has Trojan exploit HarakoMeshi Gaming Smackdown 3 09-02-2007 08:10 AM
Yamaha to Show 11.2-channel RX-Z11(the beast) Receiver. CEPro nelll Home Theater Gear 8 08-21-2007 03:53 AM
PS3 exploit found, backup's playable DeSade Blu-ray and Video Game Consoles 3 12-30-2006 11:39 AM


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off