Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Tor and the BEAST SSL attack (torproject.org)
59 points by xtacy on Sept 24, 2011 | hide | past | favorite | 5 comments


Slightly OT, but this is a perfect reason to regard javascript crypto as dangerous. If one of the most heavily scrutinized cryptographic protocols can have what is in retrospect, a fairly obvious flaw (WEP fell to a very similar predictable IV attack), the average developer does not stand a chance of getting it right implementing it from scratch in an environment they do not have strong control over.


I generally oppose doing crypto in Javascript, but I'm not so sure that this bug is a good argument for that position. You realize you're taking two extremely unsettled debates and combining them, don't you? :-)

* We will probably never get to a point where everyone agrees on the exact severity of the BEAST exploit, simply because all of the parties are defining "severity" from their own perspective. The best we can hope for is that enough fixes get put in place that nobody (else) gets pwned by it in the real world.

* Yes, "average developer does not stand a chance of getting it right". Professional crypto engineers don't always get everything right (often only understood after many years).

* But I personally object to the "hands off ye mortals crypto is only for the Gods" argument. People should be able to hack on whatever they want without being ridiculed. What we need to be vigilant about is the security claims being made on the result! The only thing worse than amateur crypto in amateur packaging is broken (or backdoored) crypto in professional packaging.

* Ptacek gives good reasons Javascript crypto is a bad idea: http://www.matasano.com/articles/javascript-cryptography/ My own summary is simply:

A. The server provides a vastly more stable and secure environment for performing sensitive crypto operations. Yes, really. There are attacks with CVE numbers and careful code patches in OpenSSL that have to be completely ignored by Javascript crypto advocates simply because they have no mitigation there.

B. Almost all reasons people give for wanting to do crypto on the client side in Javascript don't hold up under scrutiny. It usually turns out that the person advocating it is being optimistic because he doesn't really understand his attacker's capabilities very well.


Nothing to worry about:

http://news.ycombinator.com/item?id=3015995 I happen to know the details of this attack since I work on Chrome's SSL/TLS stack. Fundamentally there's nothing that people should worry about here. Certainly it's not the case that anything is 'broken'.


You might want to read http://www.imperialviolet.org/2011/09/23/chromeandbeast.html, which sums up Chrome's reaction to the attack.


Click through the link. You're taking that waay out of context.

The researchers demonstrated the decryption of a Paypal cookie yesterday. It takes some pretty creative logic to claim nothing is 'broken'.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: