Is BEAST Still a Threat?

Ivan Ristic

Last updated on: December 23, 2022

Yesterday I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack. That means that we now consider this attack sufficiently mitigated client-side, but, there are still some things you should now.

What is BEAST?

TLS 1.0 and earlier protocols suffer from a serious flaw: the Initialization Vector (IV) blocks that are used to mask data (plaintext) prior to encryption with a block cipher can be predicted by an active man-in-the-middle (MITM) attacker. IVs are used to prevent encryption from being deterministic; without them, every time you encrypt the same block of data with the same key, you get the same (encrypted) output. This is highly undesirable. A clever attacker who can 1) predict IVs, 2) see what encrypted data looks like, and 3) influence what is encrypted, is then able to make guesses about what plaintext looks like. Technically, he cannot decrypt any data, but he can find out if his guesses are right or wrong. With enough guesses, any amount of data can be uncovered.

This is a highly condensed explanation of the problem. If you care about the details, I suggest that you start with my previous post on this topic, and follow the links provided there.

Because guessing is not very efficient, the BEAST attack can in practice used to retrieve only small data fragments. That might not sound very useful, but we do have many highly valuable fragments all over: HTTP session cookies, authentication credentials (many protocols, not just HTTP), URL-based session tokens, and so on. Therefore, BEAST is a serious problem.

Mitigation status

BEAST is purely a client-side vulnerability. Since it had been released to the public, most major browsers addressed it using a technique called 1/n-1 split. This technique stops the attacker from predicting IVs and effectively addresses the underlying problem.

But one platform held back—Apple’s. We know little about their intentions, because there hasn’t been any official communication on this topic. My understanding is that the 1/n-1 split was incorporated in the Mountain Lion release, but that it is disabled by default. Also, as far as I am aware, the split is not in use on iOS either.

Without Apple addressing the BEAST attack, there’s a substantial chunk of users that are still potentially vulnerable. For this reason, at the beginning of this year, SSL Labs started penalizing all sites that do not incorporate server-side mitigations against the attack.

Unfortunately, the only way to mitigate the BEAST attack is to enforce the use of RC4 suites whenever TLS 1.0 and earlier protocols are used (which is most of the time at this point). I say “unfortunately”, because very shortly after we had started requiring server-side mitigations, new research about RC4 came out and we found out that this cipher was much weaker than previously thought. The weaknesses were not of immediate concern, but it was clear that RC4 was on the way out.

The situation became uncomfortable because we couldn’t solve both problems, but also because both issues were of roughly the same risk. (Low.) Still, the end result was clear: RC4 affects everyone and cannot be mitigated; BEAST affects only a part of the user base and there isn’t a workable exploitation path for it any more (we hoped). In addition, we knew that attacks against RC4 were going to get better; and that the attack surface vulnerable to BEAST likely to get smaller.

Is BEAST still a threat?

From this conclusion, the work that remained was to prove that the exploitation path used by BEAST was genuinely closed. We had no reliable information about that, and so I set out to test a bunch of browsers running on various platforms, read source code where available, and attempt to exploit BEAST myself.

The research required a lot of effort and time, mostly because I did not want just to run the existing exploit; I wanted to fully understand the attack as well as explore other potential attack vectors. Juliano and Thai (BEAST authors) have been very helpful answering my questions about their choices. I had detours, some because of real problems, some because of my mistakes. For a long time I thought BEAST was still exploitable because, to my great surprise, I discovered that the Same-Origin Policy (SOP) bypass that was used for BEAST still existed. Apparently, the fix for that problem was botched. Using this bypass, a MITM can still use a Java applet to instrument a victim’s browser to encrypt arbitrary plaintext and send it to arbitrary hosts.

Fortunately, there have been many changes to how applets work since BEAST was originally discovered. For example, there are now always warnings before an applet is started. In my testing, the Java plug-in had no ability to access HttpOnly cookies; it couldn’t even send them in a request, or receive any of them back. Most importantly, HTTPS request made by applets are encrypted using Java’s TLS stack, not that of the host browser. Because Java does implement the 1/n-1 split, BEAST cannot be exploited.

Epilogue

Even though SSL Labs no longer penalizes sites that do not implement server-side BEAST mitigation, the problem remains for as long as we have a major browser without the fix. Although I don’t believe that the problem is exploitable today, there might be other attack vectors we are not aware of. A new feature added to Safari could make it exploitable again tomorrow. Or, someone with more time on their hands could prove me wrong. For this reason, we need a healthy security margin, and we need Safari to implement the 1/n-1 split by default.

By the way, supporting TLS 1.1 and 1.2 does not actually address BEAST now or in the near future, even though these protocols do not have the predictable IV weakness that’s exploited by the attack. The first problem is that most of the Internet still relies on TLS 1.0. Only about 18% of the servers tracked in SSL Pulse support TLS 1.2 today. Thus, even though the next generation of web browsers will all support TLS 1.2, it’s going to take a while until the servers are upgraded.

But there is also the second issue, which is that all major browsers are susceptible to protocol downgrade attacks; an active MITM can simulate failure conditions and force all browsers to back off from attempting to negotiate TLS 1.2, making them fall back all the way down to SSL 3. At that point, the predictable IV design is again a problem. Until the protocol downgrade weakness is fixed, newer protocols are going to be useful only against passive attackers, but not against the active ones.

Show Comments (10)

Comments

Your email address will not be published. Required fields are marked *

  1. In Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 the first two preferred ciphers are:

    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    These ciphers only work on TLS 1.2, so if these ciphers are preferred on the server, then Safari should use TLS 1.2.  Since TLS 1.2 is not vulnerable to BEAST, this should mitigate the BEAST attack for the Safari versions mentioned above (without RC4).

    As mentioned in the article, this will only work if the server supports TLS 1.2.

  2. Hello there.

    i’m using nginx/1.4.1 on my server. I successfully graduated to A but still wondering why the beast is not covered.

    here is my configuration

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

              ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;

            ssl_prefer_server_ciphers on;

    And my results : https://www.ssllabs.com/ssltest/analyze.html?d=icnseo.com

    Any ideas or suggestions ?

    Kind regards.

    1. I suspect that the only server-side BEAST mitigation that the test would be sure to pick up, would be disabling of TLS 1.0.  Since Firefox is finally starting to support 1.1, this might soon be a realistic option, if you can persuade your users to update their browsers.  Until then, there may not be much more mitigation possible.

  3. What is mentioned here is major browsers. It comes to mind for me that a potential attack is a custom-developed client that acts as a browser, and is used in the main-stream but is not considered a browser. Is beast a threat if the client development doesn’t specifically mitigate it?

    1. It depends on how the custom client is implemented. For example, today, a custom client might support TLS 1.2 by default, which means that BEAST is not a threat. All browsers use to implement fallbacks to TLS 1.0, today only some do. So if the custom client also falls back to TLS 1.0, then it might be vulnerable to BEAST. But, generally speaking, BEAST requires a lot of work to exploit.

  4. This article is annotated as updated in December 2022 but the information in it is clearly out of date – TLS 1.1 is a no-no for a good long while now and SSL3 is long forgotten – yet ssllabs report links to this article, doing more to confuse its users than to clear things up.