1 Reply Latest reply: May 30, 2013 6:43 AM by gimbal2 RSS

    ServerHandshaker - Beast attack

    1011822
      Hi,

      I would like to ask, whether there is a way how to prevent beast attack. As I understand the problem It can be solved by forcing order of ciphers on server side. I have found somewhere that this problem is solved in jdk7. But I cannot find this in code. When I look to ServerHandshaker to method chooseCipherSuite method there is code for selecting first common cipher in order provided by client. Is this solved in different way?

      Thank you

      Tom
        • 1. Re: ServerHandshaker - Beast attack
          gimbal2
          If you're lucky Oracle mentions that something is fixed; what they never mention is HOW it is fixed.

          Googling this stuff proves that even more because I just can't find any hard information on the fix at all. The only thing I can find is that it involves the command line flag '-enableCBCProtection' which can be used to DISABLE the fix. Googling around for that flag returns a disappointing lack of information. This is what IBM has to say on it:

          http://www-01.ibm.com/support/docview.wss?uid=swg21571596

          Quote:

          "The following system property can be set that adds sufficient randomness to the SSLv3/TLS 1.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST."