Browser Vendors Prepare for SSL Attacks

In a very short time the SSL BEAST research will be revealed and web browser vendors will have to come up with ingenious ways of protecting their products not to lose the admiration of their fans.

The easiest way to fix the problem would be to upgrade to the newer versions of the security protocols implemented so far. For instance, TLS 1.1 and 1.2 are insusceptible to the attack but the problem is that most websites don't support these types of encryption protocols.

As mentioned in a previous article, Opera has already successfully incorporated the improved protocols and they're activated by default. However, if internauts are experiencing problems, they can disable the advanced encryption, leaving the browser vulnerable in front of attacks.

As Opera researchers discovered, this upgrade process is a double-bladed sword. Even though TLS 1.1 and TLS 1.2 are relatively old, they have not been enforced by website builders. On the other hand, website builders have not implemented the new encryption because they fear that if their customer's web application is incompatible, they'll lose a large part of their business.

Internet Explorer 9 has the ability to protect users against SSL attacks but only if they activate the later versions manually. The downside is that if the accessed webpages don't support these variants, the site's visitors will not be able to properly access the content.

According to the Threat Post, Google officials are patching up Chrome as we speak, their only fear being that they might have to make a forced release of the product that might be caused by hacking activities.

Mozilla's Firefox is by far the last. Their products only support SSL 3.0 and TLS 1.0 which are highly vulnerable to the BEAST's attack.

In a recent paper, Thierry Zoller advises on some measures that should be implemented in order to have an SSL configuration that wouldn't be so exploitable in e-banking and CC transaction. An Elliptic key cryptography as preferred cipher, the use of AES as encryption algorithm, a minimum encryption key length of 128-bit and revoked support for SSLv2 and SSLv3 are just a few of his recommendations.