Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the BEAST Doesn't Threaten Tor Users

Posted by timothy on from the shaken-and-stirred-and-scrambled dept.

Earlier in the week, we posted news of a vulnerability discovered in virtually all websites secured with theoretically outdated (but widespread) versions of SSL and TLS encryption. Luckily for all non-nefarious users, this vulnerability (called BEAST, short for Browser Exploit Against SSL/TLS) was discovered and disclosed by researchers Thai Duong and Juliano Rizzo, and browser makers are pushing out changes to nullify it. Many systems, though, will remain unpatched for a long time. Nick Mathewson (nickm) of the Tor project has posted an explanation of why Tor traffic, as he understands the attack, remains safe. As a side benefit for those of us who aren't security experts, his description explains in plain language just what the danger is.

6 of 54 comments (clear)

  1. Just make a good security standard already by Co0Ps · · Score: 3, Insightful

    What an epic fail for TLS. The certification system is broken by design and now apparently the block encryption as well. Let's take this opportunity to draft a new standard that:

    A) Solves the having-to-trust-cert-authorities in china by using DNSSEC instead for certification. It should also optionally support manual cert distribution or remember-public-key for advanced users.

    B) Just like SSH it should supports a range of handshake methods/encryption algorithms. It's insane to rely on a single algorithm. So when (note "when", not "if") an algorithm gets busted I can simply patch my browser.

    So somebody, please write an RFC now, anyone? :)

    1. Re:Just make a good security standard already by Lennie · · Score: 2

      B. SSL/TLS already supports many methods/encryption algorithms. If everyone would be easiliy be able to install newer software instead of having to support old, we'd all be able to turn off the older SSL/TLS methods. But as we can't, the other solution is to setup to server to prefer an other older method, which uses RC4 instead of CBC, which this tries to attack. The RC4-based method is also safe.

      And for those webdevelopers who complained about Opera and Mozilla disabled support of the older websocket protocol. If they didn't websockets could have potentially be used for this attack as well instead of the Java-applet which is used for this attack.

      --
      New things are always on the horizon
  2. Summary by Anonymous Coward · · Score: 2, Informative
    Summary for Technical People who don't want to read through a ton of crap:

    Tor uses OpenSSL's "empty fragment" feature, which inserts a single empty TLS record before every record it sends. This effectively randomizes the IV of the actual records, like a low-budget TLS 1.1. So the attack is simply stopped.

  3. You don't need to use BEAST by sgt+scrub · · Score: 2, Informative

    Tor's flaw is not MIM attacks, it is not knowing who owns the exit node.

    --
    Having to work for a living is the root of all evil.
    1. Re:You don't need to use BEAST by Anonymous Coward · · Score: 2, Interesting

      Evil nodes are *assumed* when you are using Tor. Everyone knows this.

    2. Re:You don't need to use BEAST by quickgold192 · · Score: 3, Insightful

      Who cares who owns the exit node as long as the same entity doesn't own every other node in the circuit? And as long as you don't transmit any traceable information in plaintext?