The BEAST bug is a new and under-reported client-side SSL/TLS vulnerability and affects a wide hosts of SSL-based clients, including the Mozilla Firefox browser suite and GNU Linux.

Mozilla Firefox/Thunderbird

Mozilla Firefox and Thunderbird seems so far to have not reported the issue publicly so the use of SSL/TLS 1.0 based encryption may still be remotely exploitable. The severity of this privacy leak (MITM like) and the lack of public disclosure thus provides sufficient motives to recommend using an alternative browser supporting at least TLS 1.2 until this issue is fully fixed in Firefox.

I therefore strongly recommend the adoption of the Opera browser for secure browsing which supports TLS 1.2 based encryption while still being quite upset with the attitude of the Mozilla community to not disclose this exploit in a public security advisory...

-Etienne

Known Workarounds

Diagnostics

To verify what cipher suite is in use by a remote server, you may do the following:

% openssl s_client -connect <servername>:443 -showcerts

If the line "Secure Renegotiation IS supported" is shown, the remote server may not be affected by this vulnerability or is using TLS 1.2 for SSL session handshakes.

References

just another Wiki: BEAST (last edited 2012-08-02 13:56:14 by anonymous)