Conventional thinking says that it would take a beast of a program to break through the encryption spit out by the SSL/TLS protocol – that’s why it’s found in so many websites and browsers these days. Unfortunately,
a pair of researchers say they’ve whipped up just such a program in the form of BEAST
, or “Browser Exploit Against SSL/TLS,” and they plan on showing it off this Friday at the Ekoparty security conference. At least one company’s taking the threat seriously; Google plans on rolling out a Chrome update designed to confuse the BEAST and defend against its threat.
Rather than upgrade the browser to the more modern – and BEAST-invulnerable – TLS 1.1 or 1.2, Google’s workaround involves chopping data up into fragments to stymie the chosen plaintext recovery attack used by BEAST,
The Register reports
. The randomness should make it much more difficult for BEAST-style attacks to occur, since BEAST uses the plaintext data from one encrypted block to help decrypt the next one. The fix is already available in the developer’s version of the browser, and only involves 20 extra lines of code.
The change is a nifty tactic by Google; it (theoretically) protects Chrome against the (supposed) danger of BEAST attacks, while simultaneously allowing the browser to keep its TLS 1.0 support. Upgrading to TLS 1.1 or 1.2 could break the scads of TLS 1.0 applications found across the Web.