Life is a long preparation for something that never happens - WB Yeats
|
|
|
Mozilla thinks of blocking Java to mitigate BEAST attack
FIREFOX DEVELOPERS are considering blocking the Java plug-in in order to prevent a dangerous same origin policy bypass from working. The bug was exploited by security researchers Thai Duong and Juliano Rizzo in their recently disclosed attack against SSL/TLS.
The Browser Exploit Against SSL/TLS (BEAST) leverages a decade-old vulnerability in SSL and TLS 1.0 to decrypt and steal protected session cookies.
In order for BEAST to work, the attackers need to gain a man-in-the-middle position that allows them to control the victim's network connection. This is also necessary for injecting a crucial piece of rogue Javascript code into a non-encrypted page the user visits.
Then, in order for this code to interfere with the targeted HTTPS web site, restrictions enforced by the browser's same origin policy (SOP) need to be bypassed. Duong and Rizzo achieved this by exploiting a vulnerability in Oracle's Java plug-in.
"I recommend that we blocklist all versions of the Java Plugin," Firefox developer Brian Smith proposed on Mozilla's bug tracking platform. "My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin," he added.
Firefox's blocklisting mechanism can be used to quickly block dangerous add-ons if the need arises, but Mozilla also has a less drastic solution for disabling plug-ins or extensions that allows users to re-enable them on a click-to-play basis. However, Smith believes that such soft-blocking is not suitable in this case because attackers can easily overcome it.
The development team is still undecided because disabling Java, even if temporarily, would cause all sorts of user experience problems. Java is not commonly used on regular web sites anymore, but it is still widespread in corporate environments where business-type web-based applications need it.
"This is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)," said Mozilla's director of Firefox engineering, Johnathan Nightingale, who seems to favor a click-to-play approach for now.
"Whatever decision we make here, I really hope Oracle gets an update of their own out - it's the only way to keep their users affirmatively safe," he concluded.
If the team decides to go ahead with this solution it won't be the first time Mozilla has blocked an important plug-in. Back in November 2009, the browser maker disabled Microsoft's .NET Framework Assistant and Windows Presentation Foundation add-ons because of unresolved security issues. µ
Share this:
Share
But this isn't a security problem that Java has. It's a security problem that TLS 1.0 has. It's not even clear to me that Java is performing TLS 1.0 encryption itself or just using the browser's TLS session to communicate (if that makes sense). And probably you could do the attack with an HMTL Refresh header on the web page itself, or a repetitive "magic eye" JPEG. It's TLS 1.0 that needs to be retired.
I remember how proud Opera were to be one of its earliest implementers, or at least I think they said so. Several years ago, obviously.
So did they also say when they'll add the improved TLS 1.1 and 1.2 to mitigate the TLS hole and attacks?
As for the .net and WPF remark, it seems quite odd to call that important plugins because when I disabled those I found there is not a single site where it was needed, so you can't say it was that important can you?
Block Java and Flash, and half of the problems with the Internet will be gone.
The NoScript add-on for Firefox and other Gecko-based Web browsers might be able to help out here. It allows "click to play" functionality for not just Java, but also JavaScript, Flash, ActiveX (if you have MS .NET Framework installed), and several other things. You could allow the corporate sites but disallow anything from the Internet.
"Oracle may or may not be aware of the details of the same-origin exploit."
In either case, Oracle can't be arsed to fix security holes in Java. Oracle is too busy filing lawsuits against businesses using Java.