A tool that cracks SSL cookies in ten minutes was recently introduced at the Eckoparty security conference. The tool is called BEAST, which stands for Browser Exploit Against SSL/TLS. It works only with TLS 1.0 and not with TLS 1.1; although, most of us are using 1.0, whether we know it or not. The 1.1 version is not widely used yet. Click here to read more about how it works.
While it is not simple to immediately achieve the exploit, the article mentions that the tool is a Java script which needs to be injected into the victim's browser - something we unfortunately see all too often: hackers have done it, know how to do it, will continue doing it. So, the attack is not necessarily easy, but it appears feasible.
Granted, this is merely research that is demonstrating the possibilities of cracking SSL cookies. This has yet to be done by hackers in a real-world application. How many times have we seen this before? How long will it be before this becomes a real threat?
Computers become more powerful every day; as a consequence, encryption becomes easier to crack. The 128 bits encryption used in VPNs was quickly replaced by AES256. AES256 was designed to last well into the 21st century because the computing power it requires to be compromised is such that no existing commercially available computer can crack it in a meaningful time. And that's, ultimately, what we want. It may never be possible to create encryption that cannot be cracked; but, if we can make it hard enough that no computer can crack it in a human lifetime with the current computing power commonly available, then we should be OK. Of course, in this constantly changing, fast-paced technology era, as computing power increases, the time it takes to crack an encryption algorithm decreases. That is why we went from 64 bit, at the end of the 20th century, to 128 bits, which we still use today. It has only been 11 years, but maybe it is time to move to 256, before someone comes up with a way to use the BEAST as a hacking tool and we start losing some serious data over HTTPS.