A CRIME Against SSL/TLS Encryption

Approximately one year ago Juliano Rizzo and Thai Duong (the so-called BEASTie Boys) discovered a way to break SSL Encryption by mean of their BEAST attack (rowser Exploit Against SL/TLS).

Their attack exploited a design flaw of the SSL/TLS 1.0 protocols (or better of the CBC cipher-suites, such as AES and 3DES), allowing to decrypt an encrypted conversation by sniffing the traffic and injecting a known pattern in the encryption channel. At that time the research had a considerable impact, given the wide usage of SSL/TLS in millions of websites providing secure online services.

read more