From a security perspective, gadgets let us down all the time.   Sometimes it is because they compromise our privacy in the name of convenience.  Sometimes it is because the information they provide us is fallible.  Sometimes it is because they were not designed with security in mind.

The real question is whether its the gadgets themselves that are betraying us or rather the humans who designed and built the gadgets.  I would say the latter.

• Standards/Policy
• JEE Platform Security Guide
• JEE Security Specification (Requirements)
• Technology-specific standards
• Reference Architecture
• Security Design: MVC, JAAS, IV/OE, Encryption
• Architecture Assessments
• “Project Rescue” (re-architecting, refactoring systems)
• Training

Historically organizations wanted “one expert” and their ultimate goal usually aimed at something we might still call a “reference architecture”. They were building their own security API or securing a framework and would say, “You know JEE Security really well, ‘write us the book on how to do XXX’.”

Organizations no longer want one expert to “write the book”. They want five-to-ten smart architects to shepherd applications through upgrading design/implementation so assessments cease finding the same vulnerability over and over again. But, hiring this many sharp architects proves a real challenge. One technique has consistently made preparing individuals for this job easier for me. Step-wise:

1. Identify design patterns commonly used in today’s architectures/designs
2. Choose a pattern, writing up its:
1. Constituent structural and behavioral elements
2. The functional responsibilities of elements
3. Brainstorm security responsibilities (functional & non-functional) of pattern elements
4. Identify elements’ technology-specific implementations in appropriate frameworks
5. Build a review checklist of security responsibilities for implementations
6. Use this checklist as you would code reviewing for known vulns.

This scheme decomposes a system in a dramatically different way than STRIDE (one of Microsoft’s 2+ threat modeling approaches). Whereas STRIDE proposes a set of conceptual attacks (such as spoofing or tampering) the above approach takes a software-centric stance. Just like STRIDE, this approach applied alone would not be thorough; one still must consider a system’s assets and risks. But, using this scheme you can make understanding security architecture of even large, unknown, or scary designs seem more simple. Let’s try it:

1 – Identify Design Patterns

One of the most common patterns in play in a n-tier web system has historically been the MVC (or model view controller). So herein I decompose that pattern. As you’ll see, many security responsibilities fall on this pattern’s controller element.

2.1 – Structural Elements

Unlike some patterns the MVC’s elements are self-evident:

The figure above displays, in an n-tier architecture, what elements of the MVC pattern are and, to some extent, where they live. In the case of MVC, its elements are structural in nature. Behavioral patterns such as the chain of responsibility (which Spring’s interceptors implement) will decompose differently.

For this post’s remainder, I focus on the controller element. Though, when tearing an architecture apart, one must consider each pattern element.

2.2 – functional responsibilities

What is MVC’s controller meant to do? The answer varies depending on the architect you speak to and this variance is reflected in each MVC framework’s implementation. Generically speaking, responsibilities break down as follows:

• View – Display UI for user
• Controller -
• Route user requests to implementation
• Model -
• Represent and persist business entities
• Conduct business logic transactions

We could be more exacting in the functional responsibilities but we’ll find that the above suffices. Remember too, it’s not necessary to get things thoroughly correct the first pass through. Iterate and improve.

3 – security responsibilities

Taking as input the functional element responsibilities ask yourself, “What security impact might each of these have if abused?” If you can, think to yourself, “What does the user expect–from security–when this component does its job?”. Doing so, we come up with the following security responsibilities, by MVC element, as viewed from the general JavaEE perspective:

Summarizing, our controller must:

1. Make sure a user is allowed to conduct an action
2. Filter and correctly format any input required to conduct the action
3. Route the correct action
4. Maintain appropriate transaction state and ensure valid state-transitions

Again, at this point one should dig into the model and view in turn. The diagram above was built in ’05. Experience has taught us a lot since then and it’s probably painful to see view without more clear responsibility around output encoding and escaping. Likewise, model not being charged with canonical form may bother some.

4 – Identify Implementation Components

Above we describe the general JavaEE MVC framework. Interestingly, the first responsibility (making sure a user can conduct an action or ‘authorization’), pre-supposes the system know with whom it’s dealing. Since the JavaEE platform didn’t tackle that problem prior to pushing developers into the MVC paradigm, it should shock none of us that a ecosystem of commercial URL-based authentication packages sprouted up: the market simply addressed an evidently necessary but missing responsibility.

Remember that other MVC frameworks represent other architects’ similar but slightly different take on the same pattern. So, in their cases, security responsibilities may slide from component X to component Y. Luckily, most framework documentation actively advertises its philosophy, design, and features. Often, “tutorial” and “hello world” example sites/documents quickly provide the curious with pointers to specific components that implement a pattern element.

Often, however, the hardest part of this process is TIMTOWDI. APIs, frameworks, and platforms evolve over time and typically accrete several ways (rarely deprecating) for applications to instantiate their structural elements and integrate against their security features. For instance, in Spring, elements of an application’s controller can be defined through text file, XML, class inheritance, method and/or class annotation, and convention. Tracking these down thoroughly (in a security assessment) can be challenging.

5 – Create the Checklist

Knowing what the responsibilities need to be is a good start but it doesn’t help conduct a targeted SCR or developer interview. Key questions:

• I’m about to wade into millions of lines of code–what do I look for, and where do I find it?
• When I begin the process of secure design, where exactly do I suggest people place the fix?

In essence, one must glue together #3 Security Responsibilities with #4 implementations of key design pattern elements. See the figure below:

In essence, a checklist exists in the diagram above at its right. The controller’s responsibility to understand a request’s authorization translates to AuthN and AuthZ. Note that each outlined controller responsibility is represented in the side bar.

Notice that the side bar includes common security concerns not within our stated controller responsibilities. You may want to check a pattern element’s responsibilities, as enumerated in section #3, against a more comprehensive list of security concerns to assure that you didn’t forget one. In the example above, the diagram colors particular concerns either 1) outside our controller’s responsibilities or that 2) I didn’t want to address more thoroughly in my first analysis pass. Again, iterate and improve rather than attempting to nail everything flawless the first time around.

So we’re done here?

No, not really. Even within MVC we could stand to give View and Model more thought.

ANYTHING (AND EVERYTHING) MAY BE OF INTEREST
Notice that we considered decidedly pedestrian functional elements of our application in order to see particular security concerns fully manifest. For instance, an organization-specific DispatcherServlet and DirectoryAdaptor may have profound effect on our first responsibility (AuthN/Authz). And, no organization with which I’ve dealt considers their home-rolled DispatcherServlet a security control. Likewise, when considering an organizations extensions to a framework’s FormController we’ll learn a lot about mandatory application of input processing and filtration.

PROGRESS

“Technological progress is like an axe in the hands of a pathological criminal” – Albert Einstein

And, of course, MVC sounded a lot better on paper than it felt in code. Development has since shifted. As more dynamic languages have given rise to more dynamic application/UI frameworks they typically ‘push down’ application-layer controller logic. More recent web frameworks favor use of key conventions in application-level logic that direct a framework-layer controller otherwise ‘invisible’ to the developer. Frameworks such as Python’s Django, and Cocoa’s KVO/KVC pull this trick and JavaEE APIs like Spring‘s ModelAndView have followed suit. If the controller has been pushed down into the framework, it invalidates the decomposition I’ve written above and we have to reconsider our step-wise process coming up with a new assignment of responsibilities and checklist.

DIRECTIONALITY AND ARCHITECTURE/PATTERN DIAGRAMS

Pay particular attention to this “vertical” (up/down) dimension of the architecture. The layer in which a security concern manifests itself in an application implies things about how much control we have over vulnerability and mitigations. Below you’ll see another view on the same system:

From an application developer’s perspective, the further “down” in the diagram a security concern appears the more “invisible” or effort-free it is. Features the developer must add themselves must be 1) carefully considered for their implementation’s correctness, 2) correct configuration and use, and 3) thorough and consistent use. At first glance, developers prefer APIs, frameworks, and shared libraries because they only consider concerns #2 and #3. Their application may be automatic because of inheritance, the template pattern, or similar scheme. In these cases, the developer can skip concern #3. However, these situations assume the called component’s developer tackled #1: implementation correctness. If property #1 fails the developer they’re often hard-pressed to fix the situation as compared to that which they implemented in their code. Trade-offs.

Remember these properties as you write your checklist. Those responsibilities borne by developers must be checked for 1) implementation correctness, 2) correct configuration and use, and 3) consistent and thorough usage.

Responsibilities in APIs, frameworks, and shared services should be 1) audited once for correctness and, when used, 2) audited for appropriateness, 3) correct configuration and use, and if applied on a discretionary basis, 4) audited for consistent and thorough use. Platform properties and features require the same checks.

Go Forth and Decompose

Hopefully, with a little practice, you’ll be able to go out and look at common architectures, identify their usage of patterns, attribute to them responsibilities, build a checklist for their correct implementation, and then decide how and where to harden them.

-jOHN

Invincea CEO Anup Ghosh (who incidentally once ran Cigital Labs many years ago) and I collaborate on a point/counterpoint titled “Lost Decade or Golden Era: Computer Security since 9/11“. Though Anup and I agree on most technical issues, we disagree on whether Computer Security is moving forward as a field. Anup thinks not. I think yes. What do you think?

Our conversation in that piece closes with a discussion around innovation. My upcoming panel at RSA is devoted to the topic, as is a recent edition of Computing Now. If you’re interested and provoked by what you read there, please plan to join us in San Francisco at the RSA Conference for a distinguished panel on Innovation and Technology Transfer in Security — leap day, February 29, at 8 AM. The panel includes Peter Denning, Brian Chess, Carl Landwehr, and Paul Kocher. Listen to a short promo for the panel here. (We hope to see you at RSA.)

Back to the S&P issue. Cigital Principal Scott Matsumoto participated in a big name roundtable on Authentication hosted by PayPal’s Markus Jakobsson. The lively discussion includes diverse opinions about the biggest problems in authentication, potential solutions, and the direction in which the field is moving.

Finally, the S&P issue also includes a Silver Bullet transcript (as each and every issue does). This edition covers my Show 55 conversation with Deb Frincke, a member of the Defense Intelligence Senior Executive Service and deputy director for research at the National Security Agency (NSA).

IEEE Security & Privacy plays an important role in the field at the critical intersection point between peer reviewed science and applied technology. Cigital is proud to play such a big role in the tenth anniversary edition.

Happy birthday S&P!

The good news from my perspective is that talks are up (clocking in at 40) even while trips are down (coming in at 27). Those are the kinds of trends I can live with.

I gave nine keynote talks this year to large audiences. They included:

• Software Security and the BSIMM, Fannie Mae CSO Security Summit (Washington, DC)
• Architecture Risk Analysis, RSA Innovation Sandbox (San Francisco, CA)
• How Do I Secure my Software?, Hotel Technology Next Generation (San Diego, CA)
• Software Security: State of the Practice, SAP Quality Day (Heidelberg, Germany)
• Software Security and the BSIMM, Software Experts Summit (Mountain View, CA)
• Software Security and the BSIMM, AERES (Vienna, Austria)
• Attack Trends 2012, SNI Security Summit (Knoxville, TN)
• Attack Trends 2012, Automated Control Systems Security (Washington, DC)
• The Building Security In Maturity Model, NESSOS, Internet Days EU (Poznan, Poland)

I also gave talks at thirteen universities, including Uva, Harvard, Umass, NCSU, Georgetown, the Naval Postgraduate School, JHU, UMd, Northern Kentucky University, Columbia, Indiana University, JMU, and UC Santa Barbara. It is always a blast to interact with students. They seem to get younger every year.

If you have a speaking opportunity for us, we would love to hear from you! Cigital has a bunch of very talented speakers.

My monthly column for informIT continues apace into its fifth year. Here is a listing of the last 12 articles in the series (still working on December’s). I think my favorite one is the Zombies paper…that one should live on for a while.

• Third-Party Software and Security (November 30, 2011)
• Software Security Training (October 31, 2011)
• BSIMM3 (September 27, 2011)
• Balancing All the Breaking with some Building (August 30, 2011)
• Software Security Zombies (July 21, 2011)
• Computer Security and International Norms (May 30, 2011)
• vBSIMM (BSIMM for Vendors) (April 12, 2011)
• Modern Malware (March 22, 2011)
• Software Patents and Fault Injection (February 28, 2011)
• Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) (January 31, 2011)
• Driving Efficiency and Effectiveness in Software Security (December 29, 2010)

My 2011 writing also included interaction with the Washington D.C. policy wonks at the Center for a New American Security. CNAS ran a study on cyber security for policymakers. CNAS CEO and Iraq War author Nate Fick co-authored a paper with me meant to inform lawmakers about what cyber security really should be: Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II, Center for a New Amercian Security [PDF] (June 2011).

With the purchase of Fortify Software by HP at the end of 2010, a long and very successful technology transfer path was completed. From our invention of security scanning in the labs at Cigital, through Kleiner-Perkins, to worldwide distribution through HP, code review for security is here to stay. I wrote the story up in IEEE Software: Technology Transfer: A Software Security Marketplace Case Study [PDF] (September/October 2011).

And there is always the Silver Bullet security podcast. The last 12 interviews included some really solid episodes. I think my favorite this year was an in depth interview with Ralph Langner about Stuxnet. Ralph is the guy who discovered that the payload was aimed at Siemens Control systems.

58. John Savage
59. Ralph Langner
60. Neil Daswani
61. Carl Landwehr
62. Halvar Flake
63. Craig Miller
64. Markus Schumacher
65. Giovanni Vigna
66. Shari Lawrence Pfleeger
67. Bill Pugh
68. John Steven

2012 should look much the same when it comes to trips and talks, though one of these years I need to find the time to write another book!

The UK intelligence agency, GCHQ, (roughly analogous to the US’s NSA) posted an online challenge recently at http://canyoucrackit.co.uk/ (read more). Given essentially no information other than what are pretty obviously hex digits, candidates are invited to attempt to “crack” an opaque puzzle. It isn’t even clear what the puzzle is (is it an encrypted document? is it a program? Is it a virus?).

Ostensibly the puzzle will help GCHQ identify very clever candidates to come work at the agency, fighting the good fight in cyberwarfare. Other high-profile companies have tried similar strategies in the past (like Google and Microsoft) to find highly qualified candidates.

The puzzle requires unraveling x86 instructions, finding a few bits of essential data hidden steganographically in the image itself, and putting it all together into a program that reveals a final URL to visit. The skills required to do this are similar to those required for reverse engineering unknown malware and trying to figure out what it does–especially when only part of it is present. It’s part systematic sleuthing, part guesswork, and part forensics.

As the UK, the US, and many other wealthy nations attempt to build their defences against cybercrime (and cyberwar), they are trying to identify good guys who have what it takes to understand what the bad guys do. It’s great fun to solve a problem like this, and it’s great fun to imagine doing that for a living to serve your country. But when you discover that the government’s salary is a fraction of the salary of being a private-sector good guy (not to mention what the bad guys might make), it’s no wonder they are struggling to find recruits.

The details of how I solved it are on my personal blog.

The BSIMM project describes and measures the work of 786 SSG members, who together with a satellite of 1750 people, have direct impact on the work of 185,316 developers. (Download a copy today and get your firm involved in the BSIMM Project.)

The BSIMM is mostly about SSDL activities and governance. However, third-party software plays a major role in all of the BSIMM firms and is an important risk factor that must be managed. In addition to talks from member firms, the BSIMM Community Conference also featured a workshop on third-party software and security.

Sammy, Brian, and I wrote up the results in an informIT article that was posted today.

The interesting aspect of our workshop was that it was made up approximately of 50% software vendors and 50% financial services firms. This made for a very interesting conversation around vendor control.

Here are those numbers again in the context of a few things we’ve learned:

Cigital has always included instructor-led training (ILT) as part of its knowledge transfer to clients. From our founding in 1992 through 2006, we trained an estimated 5000 students on various aspects of software quality and software security. This was done in only “a few hundred” sessions. In addition, from the launch of our formal training offerings in January 2007 through September 2011, we delivered approximately 525 ILT days to over 7700 students. Throw in “about 50” conference tutorial sessions and other non-client-specific training sessions (but not normal conference talks or similar things) and the student number grows to about 9000, for a total of about 14,000.

There has been some shift in demand over that time. For the first 10 years or so, everything was custom. We typically spent weeks and even months building training that was very specific to platforms, frameworks, coding standards, policies, and even specific problems-of-the-day. This training was usually for relatively small numbers of people all working on something very similar. For the firm, that becomes a very expensive proposition when you get to hundreds or even thousands of developers working in multiple technologies, stacks, languages, tools, and related items. There simply isn’t enough time or dollars to make custom training for everyone.

Starting in 2006, we saw a real market demand for more standardized software security training (as differentiated from the plethora of network security, tool-specific, and generic “security” training in the marketplace, or the deep-dive, single-topic courses for things like reversing malware or DLL hooking). This demand was and continues to be much more centered on foundational training for all SDLC stakeholders (business analysts, architects, developers, quality testers, pen testers, audit, risk/compliance, and so on) and advanced training for small groups (e.g., lead architects and developers).

From early 2007 through October 2011, Cigital also deployed eLearning to firms that represent over 100,000 students who are developers, architects, testers, managers, business analysts, security operations folks, and others. The majority of clients are using our eLearning in their internal learning management systems for access by employees as well as contractors integrated into the client’s ecosystem. For external contractors without access to internal client systems, clients are using our training portal.

There has been shift in the eLearning landscape as well.

• We see almost all large firms having their own learning management system and wanting to take our material in-house. Meanwhile, smaller firms are looking to out-source everything and simply purchase access to our LMS for a given number of seats.
• There is a growing demand for tightly-focused topical modules that can be consumed in an hour or less.
• There was an initial demand for custom eLearning and then off-the-shelf became all the rage as the economy changed.
• There’s a trend to moving training closer to the activity. For example, inserting some defensive programming training directly into the developer’s IDE. We’ve actually developed plug-in technology for this one.
• As everyone sees the possibilities represented by more advanced instructional design, there is an increasing demand for what can only be described as virtual reality and flying monkeys with every image and word indexed and a holographic interface that instantly takes the student to the exact second in the module that answers with cut-and-paste content whatever question the student is pondering. Oh, and it needs to run on any device from laptops to smart phones to microwaves and in-dash satellite radios. Of course, we’re all over this, too.

As an off-shoot of our continuing BSIMM activities, Gary and I also recently wrote an article on software security training. Here are some additional thoughts.

Cigital has been working one-on-one with Rural Electric Co-ops across the US to help them raise their cyber security bar, starting with the creation of their own custom cyber security plan. To facilitate this process, Cigital provided the Co-ops with several artifacts, including a Guide to Developing a Cyber Security and Risk Mitigation Plan and an associated Cyber Security Plan Template, developed by Cigital for the National Rural Electric Cooperative Association (NRECA). The following video captures testimonials from Rural Electric Co-ops that have worked with Cigital to create their cyber security plans, along with feedback from industry experts and practitioners on the cyber security risk management approach and toolkit developed by Cigital.

Since the first BSIMM interview in October 2008, we’ve progressed from nine to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—about 19 months between measurements on average—and that has provided the BSIMM community with some unique insight on how software security initiatives change over time. Assessing 42 individual firms and performing 11 re-assessments required 81 sets of interviews in just a shade less than three years.

For my money, that’s not bad for a backyard project.

Of the 42 firms in the data pool, 27 have graciously allowed us to name them as BSIMM participants. They are: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scripps Networks Interactive, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga. To these and the other 15 firms, thank you very much for participating. You are directly responsible for advancing the cause of software security.

The BSIMM3 document is freely available under a Creative Commons license. You can get it from http://bsimm.com. Go ahead; it’s a good read. Even if you’re down the road with your software security initiative, you can get a glimpse into the actual software security activities conducted by your peers and competitors. If you’ve yet to get started, BSIMM will give you some great ideas.

As always, we are looking for more people who are interested in participating in the BSIMM study. We’d love to hear from you.

–Sammy.

There has been a lot of talk about BEAST (Browser Exploit Against SSL/TLS) lately. The attack against SSL 3.0 / TLS 1.0 was recently publicized by Thai Duong and Juliano Rizzo. Do you know what the risks are, and how to protect yourself?

How does it work?

The attack has two components, and the goal is for the attacker to get your cookie so that he can hijack your session:

• Some client-side code (Java applet, Silverlight application, etc.) that is injected into a page delivered over HTTP that can make requests to a site that uses HTTPS. This may require bypassing (or finding loopholes in) same-origin security policies.
• A sniffer on the network that the victim is on, to record encrypted data generated by the client-side code. The sniffer and the client-side code need to communicate with each other for the attack to work.

The easiest way to carry out this attack is over a public Wi-Fi network; however, attackers on other types of networks including wired networks can also do this. The main requirement is that the attacker and the victim need to be on the same LAN. The attacker will need to conduct a man-in-the-middle attack to inject malicious code into a HTTP page that can make requests to the targeted HTTPS site. This attack only works if the HTTPS connection is established using SSL 3.0 or TLS 1.0 and a block cipher (e.g. 3DES or AES) in CBC mode is chosen. Unfortunately, most HTTPS sites currently support only SSL 3.0 and TLS 1.0, and prefer using block ciphers in CBC mode.

Some technical details

The main techniques used by the attack are described below. Feel free to skip this section if you don’t care about the technical details.

• Some types of client-side code (Java applets, Silverlight applications, etc.) have the ability to send partial HTTPS requests. They keep the SSL/TLS connection open, and send data as it becomes available. With SSL 3.0 / TLS 1.0, each time a new block of data is sent, a new random initialization vector is not generated. The data is simply appended to the previous stream. An attacker who sees the last ciphertext block and can control the next plaintext block can gain complete control over the next ciphertext block (this is a consequence of how CBC mode works).
• Since HTTP headers preceding cookie headers are predictable and can be obtained by an attacker who sniffs a single HTTP request from the victim, and since the attacker can control the URL of requests, he can control exactly where the cookie header’s bytes end up in relation to ciphertext block boundaries.
• If an attacker knows the previous block of ciphertext and can completely control the next block of plaintext, he can determine whether a previously seen block of ciphertext corresponded to a given block of plaintext. Let’s assume that the attacker wants to determine whether the plaintext, P_i, for a previously seen block of ciphertext, C_i was x. Now, the attacker knows C_j-1, the last block of ciphertext, and wants to set P_j, the next block of plaintext to be encrypted, to a value that helps him determine whether P_i was equal to x. If he sets P_j = C_j-1 ⊕ C_i-1P_i ⊕ x (note that C_j-1 and C_i-1 are sniffed from the network, and x is the attacker’s guess), and P_i was indeed equal to x, then C_j = E(C_j-1 ⊕ P_j) = E(C_j-1 ⊕ C_j-1 ⊕ C_i-1 ⊕ x) = E(C_i-1 ⊕ x) = E(C_i-1 ⊕ P_i) = C_i. Therefore, if the attacker’s guess is correct, then the next block of ciphertext, C_j, will equal the previously seen block of ciphertext, C_i.

Given the above details, let’s say that an attacker makes a request to /AAAAAAAAAA, and knows that it will result in a block of ciphertext containing part of the cookie header: “ookie: x” (this is realistic if a 3DES cipher suite is used). Now, the attacker can make all 256 possible guesses for x, and can determine the first byte of the cookie header. Next, the attacker can make a new HTTP request to /AAAAAAAAA (one less A, which shifts the cookie header one position to the left such that the ciphertext block is now “okie: xy”) and can guess y. The attacker can continue in this manner until he guesses all bytes of the cookie. In reality, there are a lot less than 256 possibilities for each byte of the cookie header, and so the attack requires less work. There are also several details required for the attack to work that are omitted here.

Why the problem can’t be fixed quickly

TLS 1.1, which fixes this issue, was defined in April 2006. As you may have guessed, this problem was known before April 2006. However, it was considered mostly a theoretical issue until Thai Duong and Juliano Rizzo showed how it can be used to decrypt cookies sent over HTTPS. Even though this issue has been known for a while, it is probably not going to be fixed anytime soon because most websites do not support TLS 1.1 or TLS 1.2. According to Opera, only about 0.25 percent of web servers support TLS 1.1, and only 0.02 percent of web servers support TLS 1.2. There are workarounds that some browser vendors are currently implementing and testing; however, this problem is not going to be completely fixed until most web servers start supporting TLS 1.1 or TLS 1.2.

Risks

Should you be worried? Probably not. This does not significantly increase the risk of connecting to untrusted networks. There are easier attacks that can be used to steal your cookies (or your username and password) for many websites, or even install arbitrary software on your computer if you connect to untrusted networks. Some examples are:

• Many websites do not set the ‘secure’ flag on their session cookies, which means that a tool like sslstrip can be used by an attacker on your network to get your cookie.
• Many websites provide login forms over HTTP (even though your password may actually submitted over HTTPS), and attackers on your network can modify the login pages to get your username and password.
• Many users ignore certificate warnings provided by browsers, or may not even notice that a tool like sslstrip is being used and that they are not actually accessing a site over HTTPS before entering their credentials.
• Tools such as Evilgrade can be used to install arbitrary software on your computer by leveraging software that has insecure automatic update mechanisms.

Protecting yourself

If you want to protect yourself against BEAST-like attacks, you can take several steps:

• Delete all your cookies before you connect to an untrusted network.
• Limit the amount of time you spend authenticated to HTTPS sites on untrusted networks, and remember to log out as soon as you are done.
• Until your browser vendor releases a fix, disable all cipher suites that use block ciphers in your browser (leave only cipher suites with RC4 enabled).

Note that the last workaround may cause you to be unable to access many websites. Of course, when browser vendors release security updates, install them immediately.