A couple of security researchers have discovered a critical vulnerability that is capable of allowing hackers to break the SSL encryption mechanism used by millions of websites worldwide.
The researchers claim to have discovered a flaw in version 1.0 of TLS (Transport Layer Security), which is a cryptographic protocol used by websites when they are accessed using HTTPS (Secure Hypertext Transfer Protocol).
TLS is a successor to the secure sockets layer (SSL) protocol, which makes sure that the communication between a user and the website he/she is visiting is secure and out of reach of hackers.
The vulnerability, which does not affect versions 1.1 and 1.2 of TLS, could allow a hacker to break the encryption and steal the data exchanged between users and websites, like usernames and passwords.
The attack, termed as BEAST, was developed by researchers Juliano Rizzo and Thai Duong. They plan to demonstrate the attack at the Ekoparty security conference in Argentina.
“We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing,” the researchers said.