Skip to main content

Firefox devs mull dumping Java to stop BEAST attacks

posted onSeptember 29, 2011
by l33tdawg

Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle's Java software framework.

The move, which would prevent Firefox from working with scores of popular websites and crucial enterprise tools, is one way to thwart a recently unveiled attack that decrypts traffic protected by SSL, the cryptographic protocol that millions of websites use to safeguard social security numbers and other sensitive data. In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account.

Short for Browser Exploit Against SSL/TLS, BEAST injects JavaScript into an SSL session to recover secret information that's transmitted repeatedly in a predictable location in the data stream. For Friday's implementation of BEAST to work, Duong and Rizzo had to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one internet domain can't be read or modified by a different address.

Source

Tags

Mozilla Security

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th