[cryptography] BEAST (was Re: Bitcoin, was Nirvana)

Nico Williams nico at cryptonector.com
Mon Sep 26 13:00:03 EDT 2011

On Mon, Sep 26, 2011 at 9:32 AM, ianG <iang at iang.org> wrote:
>> How about that attack on TLS 1.0 CBC IV chaining? Pretty fun.
> I'm guessing this attack is mitigated by use of client cert logins?

If the server app checks for client certs, yes, because the attacker
can't use the stolen cookies.

(Note that Dirk B.'s proposal for channel binding cookies to ephemeral
per-origin client certs has the same effect.)

Another interesting thing we could do in general (and which would have
made BEAST much less interesting) would be to have more "types" of
cookies.  Suppose sites set two types of cookies, one of which is
never to be present in cross-site requests.  Then this attack would
not recover one type of cookie (unless the user, or a legitimate
script on the target site were doing many same-origin requests).


More information about the cryptography mailing list