Home Breaking the Internet: Researchers Successfully Hack SSL

Breaking the Internet: Researchers Successfully Hack SSL

Secure Socket Layers and Transport Layer Security (SSL/TLS) is the foundation of Web security. Banks, travel booking sites, social networks like Facebook and Twitter, email services and a plethora of other industries built their security based on the fact that it is very hard to crack SSL. Yet, a group of researchers has figured out how to do just that.

SSL encryption protects data in transit from the client to the server. This communication happens very rapidly and the encryption effectively makes a secure tunnel for information. The researchers that have cracked SSL used a vulnerability that until now was considered only a theory. Like wormholes.

Researchers Thai Duong and Julinao Rizzo essentially slipped a Trojan Horse into the SSL communication between the server and the client that decrypts the information, according to The Register. Instead of cracking or forging digital certificates, as has been seen with the recent DigiNotar controversy, the SSL hack goes straight to the heart of how it works.

Duong and Rizzo have created a proof of concept that they call BEAST. The demonstration they use is the decryption of an authentication cookie used to access a PayPal account. The hack penetrates the HTTPS communication and sniffs the data in transit.

The researchers created BEAST from a plaintext-recovery attack. That breaks down a supposed weakness in TLS by guessing the encryption used for blocks of data or packets that are encrypted along the data string. If the first block can be decrypted, then the hacker has the tools to attack the rest of them.

The Register points out that each byte of an encrypted cookie takes about two seconds to breakdown. That is an eternity and makes a long data string difficult to break down quickly. Hence, hackers would need either great patience or have very specific targets in mind. That shows that this SSL decryption is not for the faint-of-heart bad guy but those that are extraordinarily diligent in getting the information they desire.

The SSL vulnerability only works on SSL version 1.0. Versions 1.1 and 1.2 are not affected. That does not really mean anything since almost nobody on the Web has the capability to support versions 1.1 or 1.2. SSL/TLS is notoriously hard to implement and each successive iteration breaks all compatibility with the previous version. That makes updating SSL cumbersome, time consuming and expensive. Almost no entity on the Web uses anything past version 1.0.

Now that researchers have cracked one version, their methodology will be used by those who truly wish to steal information. The motivated always find a way. Web engineers will soon have no recourse but to band together to upgrade SSL across the Internet.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.