Editing Transport Layer Security (section)

===={{Anchor|BEAST}}BEAST attack====
On September 23, 2011, researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called '''BEAST''' ('''Browser Exploit Against SSL/TLS''')<ref name=DuongRizzo>{{cite web|url=https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=540839|title=Here Come The ⊕ Ninjas|date=2011-05-13|author1=Thai Duong|author2=Juliano Rizzo|name-list-style=amp|url-status=live|archive-url=https://web.archive.org/web/20140603102506/https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=540839|archive-date=2014-06-03}}</ref> using a [[Java applet]] to violate [[same origin policy]] constraints, for a long-known [[cipher block chaining]] (CBC) vulnerability in TLS 1.0:<ref name=DanGoodin>{{cite web|url=https://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl|title=Hackers break SSL encryption used by millions of sites|date=2011-09-19|first=Dan|last=Goodin|website=[[The Register]]|url-status=live|archive-url=https://web.archive.org/web/20120210185309/http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl|archive-date=2012-02-10}}</ref><ref name=combinator>{{cite web|url=http://news.ycombinator.com/item?id=3015498|title=Y Combinator comments on the issue|date=2011-09-20|url-status=live|archive-url=https://web.archive.org/web/20120331225714/http://news.ycombinator.com/item?id=3015498|archive-date=2012-03-31}}</ref> an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext block {{nowrap|1=P2 = x ⊕ C0 ⊕ C1}}; as per CBC operation, {{nowrap|1=C2 = E(C1 ⊕ P2) = E(C1 ⊕ x ⊕ C0 ⊕ C1) = E(C0 ⊕ x)}}, which will be equal to C1 if {{nowrap|1=x = P1}}. Practical [[exploit (computer security)|exploits]] had not been previously demonstrated for this [[vulnerability (computing)|vulnerability]], which was originally discovered by [[Phillip Rogaway]]<ref>{{cite web|url=http://www.openssl.org/~bodo/tls-cbc.txt|archive-url=https://web.archive.org/web/20120630143111/http://www.openssl.org/~bodo/tls-cbc.txt|archive-date=2012-06-30|title=Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures|date=2004-05-20}}</ref> in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.

[[RC4]] as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.<ref>{{cite web|url=https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat|title=Is BEAST Still a Threat?|date=Sep 10, 2013|access-date=8 October 2014|last=Ristic|first=Ivan|url-status=live|archive-url=https://web.archive.org/web/20141012121824/https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat|archive-date=12 October 2014}}</ref>

Chrome and Firefox themselves are not vulnerable to BEAST attack,<ref name=ChromeBEAST>{{cite web|url=http://googlechromereleases.blogspot.jp/2011/10/chrome-stable-release.html|title=Chrome Stable Release|work=Chrome Releases|date=2011-10-25|access-date=2015-02-01|url-status=live|archive-url=https://web.archive.org/web/20150220020306/http://googlechromereleases.blogspot.jp/2011/10/chrome-stable-release.html|archive-date=2015-02-20}}</ref><ref name=FirefoxBEAST>{{cite web|url=https://blog.mozilla.org/security/2011/09/27/attack-against-tls-protected-communications|title=Attack against TLS-protected communications|work=Mozilla Security Blog|publisher=Mozilla|date=2011-09-27|access-date=2015-02-01|url-status=live|archive-url=https://web.archive.org/web/20150304221307/https://blog.mozilla.org/security/2011/09/27/attack-against-tls-protected-communications|archive-date=2015-03-04}}</ref> however, Mozilla updated their [[Network Security Services|NSS]] libraries to mitigate BEAST-like [[Attack (computing)|attacks]]. NSS is used by [[Mozilla Firefox]] and [[Google Chrome]] to implement SSL. Some [[web server]]s that have a broken implementation of the SSL specification may stop working as a result.<ref>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=665814|title=(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets-76)|date=2011-09-30|first=Brian|last=Smith|access-date=2011-11-01|archive-date=2012-02-10|archive-url=https://web.archive.org/web/20120210202750/https://bugzilla.mozilla.org/show_bug.cgi?id=665814|url-status=live}}</ref>

[[Microsoft]] released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel ([[Schannel]]) component transmits encrypted network packets from the server end.<ref name=MS12-006>{{cite tech report|author=MSRC|author-link=Microsoft Security Response Center|date=2012-01-10|url=https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-006|title=Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)|website=Security Bulletins|number=MS12-006|access-date=2021-10-24|via=[[Microsoft Docs]]}}</ref> Users of Internet Explorer (prior to version 11) that run on older versions of Windows ([[Windows 7]], [[Windows 8]] and [[Windows Server 2008|Windows Server 2008 R2]]) can restrict use of TLS to 1.1 or higher.

[[Apple Inc.|Apple]] fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default in [[OS X Mavericks]], released on October 22, 2013.<ref>{{cite web|url=https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks|title=Apple Enabled BEAST Mitigations in OS X 10.9 Mavericks|date=Oct 31, 2013|access-date=8 October 2014|last=Ristic|first=Ivan|url-status=live|archive-url=https://web.archive.org/web/20141012122536/https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks|archive-date=12 October 2014}}</ref>