Secure Socket Layers and Transport Layer Security (SSL/TLS) is the foundation of Web security. Banks, travel booking sites, social networks like Facebook and Twitter, email services and a plethora of other industries built their security based on the fact that it is very hard to crack SSL. Yet, a group of researchers has figured out how to do just that.
SSL encryption protects data in transit from the client to the server. This communication happens very rapidly and the encryption effectively makes a secure tunnel for information. The researchers that have cracked SSL used a vulnerability that until now was considered only a theory. Like wormholes.
Researchers Thai Duong and Julinao Rizzo essentially slipped a Trojan Horse into the SSL communication between the server and the client that decrypts the information, according to The Register. Instead of cracking or forging digital certificates, as has been seen with the recent DigiNotar controversy, the SSL hack goes straight to the heart of how it works.
Duong and Rizzo have created a proof of concept that they call BEAST. The demonstration they use is the decryption of an authentication cookie used to access a PayPal account. The hack penetrates the HTTPS communication and sniffs the data in transit.
The researchers created BEAST from a plaintext-recovery attack. That breaks down a supposed weakness in TLS by guessing the encryption used for blocks of data or packets that are encrypted along the data string. If the first block can be decrypted, then the hacker has the tools to attack the rest of them.
The Register points out that each byte of an encrypted cookie takes about two seconds to breakdown. That is an eternity and makes a long data string difficult to break down quickly. Hence, hackers would need either great patience or have very specific targets in mind. That shows that this SSL decryption is not for the faint-of-heart bad guy but those that are extraordinarily diligent in getting the information they desire.
The SSL vulnerability only works on SSL version 1.0. Versions 1.1 and 1.2 are not affected. That does not really mean anything since almost nobody on the Web has the capability to support versions 1.1 or 1.2. SSL/TLS is notoriously hard to implement and each successive iteration breaks all compatibility with the previous version. That makes updating SSL cumbersome, time consuming and expensive. Almost no entity on the Web uses anything past version 1.0.
Now that researchers have cracked one version, their methodology will be used by those who truly wish to steal information. The motivated always find a way. Web engineers will soon have no recourse but to band together to upgrade SSL across the Internet.