Forum Discussion

BT_90520's avatar
BT_90520
Icon for Nimbostratus rankNimbostratus
Sep 20, 2011

New web attack on SSL/TLS using BEAST

Hi there,     In the link below, the POC mentioned injecting the js thru use of an iframe ad or just loading the BEAST js into browser, thereafter comes the second stage of sniffing and decrypti...
app sec
BIG-IP Access Policy Manager (APM)
security
BT_90520's avatar
BT_90520
Icon for Nimbostratus rankNimbostratus
Sep 23, 2011
Thanks Brian. Also saw that the release note of v11 has stated the support of the TLS1.2

 

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.htmlltm_rn_1100_new

 

 

Also understand that TLS1.2 is not enabled by default for Win2008 R2 and IIS that ships with it. But it should be able to enable through registry setting. Even for Apache 2.0, I do not think it support TLS 1.2 yet.

 

 

So in that case, to mitigate the attack, ASM come in to enforce client doing TLS1.2 while it handle TLS1.0 with web server. See diagram below. Of course, we are saying attacks cannot get in btw ASM and web server.

 

 

[Client] <---TLS1.2---->[ASM]<---TLS1.0--->[Web Server]

 

 

Does this sound feasible?