The BEAST Wins Again: Why TLS Keeps Failing to Protect HTTP

Documents

Exploit videos

Disclaimer: The goal of these videos is not to criticize the affected websites but to demonstrate that the attacks we describe are practical and can have a strong impact. The attacks have been responsibly disclosed to the affected vendors, giving them ample time to respond.

We are happy to acknowledge the swift and effective actions taken following our reports, in particular coming from Akamai, Dropbox, Google and Mozilla. We are also thankful to HackerOne for their disclosure coordination and collaboration efforts.

Tip: if you only care about impersonating the NSA website, skip to the Akamai video.

Bonus: SPDY impersonation attack

This is the SPDY bug (CVE-2014-3166) that was censored from the Black Hat talk, and fixed one week later in Chrome 36.0.1985.143. When a user accepts any untrusted certificate, a network attacker is able to insert arbitrary many target domains in the certificate, and because of SPDY connection pooling, Chrome will reuse the connection with the attacker for requests to these domains. This attack also bypasses the pinning policies (pre-loaded, and HSTS), which can be exploited by an attacker with the ability to obtain signed malicious certificates. For more details, refer to this discussion on the TLS mailing list.

Cookie Cutter

Virtual Host Confusion

Mozilla

Akamai

Triple Handshake