Feeds

Firefox devs mull dumping Java to stop BEAST attacks

'Horrible user experience' for your own good

Top 5 reasons to deploy VMware with Tegile

Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle's Java software framework.

The move, which would prevent Firefox from working with scores of popular websites and crucial enterprise tools, is one way to thwart a recently unveiled attack that decrypts traffic protected by SSL, the cryptographic protocol that millions of websites use to safeguard social security numbers and other sensitive data. In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account.

Short for Browser Exploit Against SSL/TLS, BEAST injects JavaScript into an SSL session to recover secret information that's transmitted repeatedly in a predictable location in the data stream. For Friday's implementation of BEAST to work, Duong and Rizzo had to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one internet domain can't be read or modified by a different address.

The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser.

“I recommend that we blocklist all versions of the Java Plugin,” Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla's online bug forum. “My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.”

About four hours later, fellow developer Justin Scott updated the thread, writing:

“In the interest of keeping this bug updated with the latest status, this morning I asked Johnath for some help in understanding the balance between the horrible user experience this would cause and the severity/prevalence of the security issue and am waiting to hear back. We also discussed this in the Products team meeting today and definitely need better understanding of that before putting the block in place.”

On Wednesday morning, Johnath, the alias for Firefox Director of Engineering Johnathan Nightingale, weighed in: “Yeah - this is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)”

He went on to say that Firefox already has a mechanism for “soft-blocking” Java that allows users to re-enable the plugin from the browser's addons manager or in response to a dialogue box that appears in certain cases.

“Click to play or domain-specific whitelisting will provide some measure of benefit, but I suspect that enough users will whitelist, e.g., facebook that even with those mechanisms (which don't currently exist!) in place, we'd have a lot of users potentially exposed to java weaknesses.”

The Draconian move under consideration is in stark contrast to the approach developers of Google's Chrome browser have taken. Last week, they updated the developer and beta versions of Chrome to split certain messages into fragments to reduce the attacker's control over the plaintext about to be encrypted. By adding unexpected randomness to the encryption process, the new behavior in Chrome is intended to throw BEAST off the scent of the decryption process by feeding it confusing information.

The update has created incompatibilities between Chrome and at least some websites, as this Chromium bug report shows. Google has yet to push out the update to the vast majority of Chrome users who rely on the stable version of the browser.

Microsoft, meanwhile, has recommended that users apply several workaround fixes while it develops a permanent patch. The company hasn't outlined the approach it plans to take.

The prospect of Firefox no longer working with Java could cause a variety of serious problems for users, particularly those in large corporations and government organizations that rely on the framework to make their browsers work with virtual private networks, intranet tools, and web-conferencing applications such as Cisco Systems' WebEx.

Presumably, Java would be killed by adding it to the Mozilla Blocklisting Policy.

“Whatever decision we make here, I really hope Oracle gets an update of their own out,” Nightingale wrote. “It's the only way to keep their users affirmatively safe.” ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.