What is BEAST?
TLS 1.0 and earlier protocols suffer from a serious flaw: the Initialization Vector (IV) blocks that are used to mask data (plaintext) prior to encryption with a block cipher can be predicted by an active man-in-the-middle (MITM) attacker. IVs are used to prevent encryption from being deterministic; without them, every time you encrypt the same block of data with the same key, you get the same (encrypted) output. This is highly undesirable. A clever attacker who can 1) predict IVs, 2) see what encrypted data looks like, and 3) influence what is encrypted, is then able to make guesses about what plaintext looks like. Technically, he cannot decrypt any data, but he can find out if his guesses are right or wrong. With enough guesses, any amount of data can be uncovered.
This is a highly condensed explanation of the problem. If you care about the details, I suggest that you start with my previous post on this topic, and follow the links provided there.
Because guessing is not very efficient, the BEAST attack can in practice used to retrieve only small data fragments. That might not sound very useful, but we do have many highly valuable fragments all over: HTTP session cookies, authentication credentials (many protocols, not just HTTP), URL-based session tokens, and so on. Therefore, BEAST is a serious problem.
BEAST is purely a client-side vulnerability. Since it had been released to the public, most major browsers addressed it using a technique called 1/n-1 split. This technique stops the attacker from predicting IVs and effectively addresses the underlying problem.
But one platform held back—Apple's. We know little about their intentions, because there hasn't been any official communication on this topic. My understanding is that the 1/n-1 split was incorporated in the Mountain Lion release, but that it is disabled by default. Also, as far as I am aware, the split is not in use on iOS either.
Without Apple addressing the BEAST attack, there's a substantial chunk of users that are still potentially vulnerable. For this reason, at the beginning of this year, SSL Labs started penalizing all sites that do not incorporate server-side mitigations against the attack.
Unfortunately, the only way to mitigate the BEAST attack is to enforce the use of RC4 suites whenever TLS 1.0 and earlier protocols are used (which is most of the time at this point). I say "unfortunately", because very shortly after we had started requiring server-side mitigations, new research about RC4 came out and we found out that this cipher was much weaker than previously thought. The weaknesses were not of immediate concern, but it was clear that RC4 was on the way out.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.