Check Point response to CVE-2011-3389 aka BEAST attack
For more informations refer to:
For the BEAST attack to succeed all of the following conditions must hold:
- SSLv3 or TLS 1.0 must be used.
- A block cipher must be used.
- The empty fragment mitigation must not be used. Many browsers, including IE and Chrome have it now.
- The attacker must be able to both run an agent on the browser, and to monitor outgoing traffic.
The BEAST attack used a bug in the Java virtual machine implemented in some browsers, where the SOP was not enforced. This bug in Java has been fixed and all reasonably updated clients are not vulnerable. Similarly, all clients that have the empty fragment mitigation are not vulnerable either. In additional all other browser bugs mentioned in this CVE (e.g. WebSocket API) were fixed.
Therefore, the BEAST attack is not feasible today.