

Tor and the BEAST SSL attack - xtacy
https://blog.torproject.org/blog/tor-and-beast-ssl-attack

======
throwaway32
Slightly OT, but this is a perfect reason to regard javascript crypto as
dangerous. If one of the most heavily scrutinized cryptographic protocols can
have what is in retrospect, a fairly obvious flaw (WEP fell to a very similar
predictable IV attack), the average developer does not stand a chance of
getting it right implementing it from scratch in an environment they do not
have strong control over.

~~~
marshray
I generally oppose doing crypto in Javascript, but I'm not so sure that this
bug is a good argument for that position. You realize you're taking two
extremely unsettled debates and combining them, don't you? :-)

* We will probably never get to a point where everyone agrees on the exact severity of the BEAST exploit, simply because all of the parties are defining "severity" from their own perspective. The best we can hope for is that enough fixes get put in place that nobody (else) gets pwned by it in the real world.

* Yes, "average developer does not stand a chance of getting it right". Professional crypto engineers don't always get everything right (often only understood after many years).

* But I personally object to the "hands off ye mortals crypto is only for the Gods" argument. People should be able to hack on whatever they want without being ridiculed. What we need to be vigilant about is the security claims being made on the result! The only thing worse than amateur crypto in amateur packaging is broken (or backdoored) crypto in professional packaging.

* Ptacek gives good reasons Javascript crypto is a bad idea: <http://www.matasano.com/articles/javascript-cryptography/> My own summary is simply:

A. The server provides a vastly more stable and secure environment for
performing sensitive crypto operations. Yes, really. There are attacks with
CVE numbers and careful code patches in OpenSSL that have to be completely
ignored by Javascript crypto advocates simply because they have no mitigation
there.

B. Almost all reasons people give for wanting to do crypto on the client side
in Javascript don't hold up under scrutiny. It usually turns out that the
person advocating it is being optimistic because he doesn't really understand
his attacker's capabilities very well.

------
anon1385
Nothing to worry about:

<http://news.ycombinator.com/item?id=3015995> _I happen to know the details of
this attack since I work on Chrome's SSL/TLS stack._ _Fundamentally there's
nothing that people should worry about here. Certainly it's not the case that
anything is 'broken'._

~~~
nbpoole
You might want to read
<http://www.imperialviolet.org/2011/09/23/chromeandbeast.html>, which sums up
Chrome's reaction to the attack.

