Transport Layer Security – (TLS) is a protocol often used during HTTPS connections to secure web sites. For almost a decade, it has been known that TLS 1.0 was insecure and vulnerable to attack – primarily due to its usage of the Cipher Block Chaining (CBC) mode of operation. TLS version 1.1 and then TLS version 1.2 have been designed to cope with this and other weaknesses.
The theoretical attack published by Gregory V. Bard back in April 2006 has been exploited (although not in the wild) and a proof-of-concept has been recently developed. Just a little over a week ago, researchers Thai Duong and Juliano Rizzo demonstrated their proof-of-concept called BEAST – Acronym for Browser Exploit Against SSL/TLS and a few days ago, published a blog post describing the attack in detail.
Even though Microsoft, Google, Mozilla and Opera have already released information or fixes for this issue, it is surprising that Internet Explorer, Chrome, Firefox and Opera, all recent web browsers, had this vulnerability unpatched for this long – leaving many users vulnerable to the particular type of attack SSL was designed to protect against.
OpenSSL has implemented a workaround for this vulnerability since version 0.9.6d which was released in May 2002, however some browsers use the Network Security Services (NSS) library, which remained vulnerable to this attack.
The beauty is that the M86 Secure Web Gateway appliance in its default configuration provides zero-day protection against this (and other) types of attack.
The complexity, time and cost of keeping all browsers in an organization patched against all the latest security threats highlights the importance of not relying solely on client-side security solutions.
Regardless of whether browsers behind the Secure Web Gateway get patched and how quickly that happens, they are protected behind M86 Security Secure Web Gateway.