For more informations refer to:
For the BEAST attack to succeed all of the following conditions must hold:
- SSLv3 or TLS 1.0 must be used.
- A block cipher must be used.
- The empty fragment mitigation must not be used. Many browsers, including IE and Chrome have it now.
- The attacker must be able to both run an agent on the browser, and to monitor outgoing traffic.
- The attacker must find a way to bypass the Same Origin Policy (SOP) on the browser, because the browser is not supposed to allow an attacker's agent (whether implemented in Java, Javascript, Flash or Silverlight) to send requests to another server.
The BEAST attack used a bug in the Java virtual machine implemented in some browsers, where the SOP was not enforced. This bug in Java has been fixed and all reasonably updated clients are not vulnerable. Similarly, all clients that have the empty fragment mitigation are not vulnerable either. In additional all other browser bugs mentioned in this CVE (e.g. WebSocket API) were fixed.
Therefore, the BEAST attack is not feasible today.
|
This solution is about products that are no longer supported and it will not be updated
|