Father of SSL says despite attacks, the security linchpin has lots of life left

11.10.2011

The problem is complex. It started with, yeah there is a weakness in the security protocol and we ought to recognize that and we have to go update it and fix it. That was before the whole BEAST thing -- the practical attack, so to speak.

All the different browsers in the world are using TLS which is known to have that weakness. It's important to understand what that attack really is.

The way the BEAST thing's deployed is you have to have a piece of malware on the browser that can inject certain things to force the browser to produce cookies so that these cookies are passed into the channel. Then they have to have a man-in-the-middle point that allows them to actually get the encrypted data. So you have what is called a chosen plaintext attack -- you choose the plaintext and you read the ciphertext and you try to match these up and find out what the keys are. It's very, very clever. There's no question about it.

Now, from a practical standpoint, the real problem is you have to have malware on the machine. Honestly, if I can put malware on your machine, I'm not going to be bothering with your SSL because I can see all the data before it gets encrypted.

It became very public because there are some 2 billion browsers and all of them use SSL for one thing or another and all e-commerce uses it and we should be careful. But obviously if you have a protocol that does not have any security problems -- that does not exist.

Zur Startseite