1 Reply Latest reply on May 30, 2013 11:43 AM by gimbal2

    ServerHandshaker - Beast attack


      I would like to ask, whether there is a way how to prevent beast attack. As I understand the problem It can be solved by forcing order of ciphers on server side. I have found somewhere that this problem is solved in jdk7. But I cannot find this in code. When I look to ServerHandshaker to method chooseCipherSuite method there is code for selecting first common cipher in order provided by client. Is this solved in different way?

      Thank you

        • 1. Re: ServerHandshaker - Beast attack
          If you're lucky Oracle mentions that something is fixed; what they never mention is HOW it is fixed.

          Googling this stuff proves that even more because I just can't find any hard information on the fix at all. The only thing I can find is that it involves the command line flag '-enableCBCProtection' which can be used to DISABLE the fix. Googling around for that flag returns a disappointing lack of information. This is what IBM has to say on it:



          "The following system property can be set that adds sufficient randomness to the SSLv3/TLS 1.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST."