I can't be 100% sure, but I've done work with SSL in the past and the encryption used during SSL is determined during the handshake process. That being said most sites use AES-256 industrial grade encryption as the primary encryption suite on SSL connections, so if this story is correct it could have more far reaching implications with regards to AES-256 encryption. That's why I feel this story might be bogus. If this BEAST tool had a valid certificate from a trust certificate authority it could launch a man-in-the-middle attack, but that's only as long as the certificate authority wasn't blacklisted. Again forgive me if my SSL/TLS knowledge is a little rusty, its been 2 years since I've had to code an application that dealed with the knitty gritty details.
1 post • joined 27 Sep 2011