New web attack on SSL/TLS using BEAST

Understand that BIG-IP v11 should already support TLS 1.2 - try out "tmm --serverciphers 'DEFAULT'" to see.

 

It would list out AES128-SHA256 and AES256-SHA256 in the native SSL stack used. The main difference is MAC changed from SHA to SHA256 (and it will give higher entropy for the pseudorandom function).

 

 

I suppose the SSL profile would also have supported TLS 1.2 (best to hear out from the expert too :p)

 

 

But the point for this vulnerability is that not many web service is using TLS1.2 and providers are not moving to higher security level as they may be losing their client who is still using the older version. See statistic of the TLS used in the link below

 

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/page2.html

 

 

Overall, best to prevent the exploit from even happening at the first place (stop the js injection into the client browser). But we do need to note that the authors claim to also be able to perform the attack on other applications using TLS (such as VPNs), not just web browsers.

 

 

Just some quick thoughts ...