In order to execute their attack, Rizzo and Duong use BEAST Browser Exploit Against SSL/TLS against a victim who is on a network on which they have a man-in-the-middle position.

 

So in order to “break” the AES component of SSL 3.0 you have to already have compromised the client/server in another way by inserting yourself  inside the data stream?  no big deal here.  If the machine/s are already compromised then all other security is moot.  This is nothing to be concerned about..keep your machine clean and this “attack” is no big deal.

via New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies | threatpost.

Skip to content