Why care about the BEAST attack at all? There are a few reasons. Attacks only become simpler and more effective over time. Right now the BEAST attack tool requires separate tools or techniques to pull off the pre-conditions. No doubt someone will make it a single program with a single click of the button. It is also very plausible that some of the preconditions will no longer be required. Without those, we face a significantly easier attack method. The resulting attack may not be as immediately prolific as a buffer overflowing Internet worm, but it would make using a public network far sketchier.
More importantly, it is yet another exploited vulnerability that we have known about for years and we just don't care to fix. Well, the fixes are out there, but we don't care enough to simply click a single check mark to implement. It begs the bigger question of why society doesn't care enough to implement important fixes that have been in existence for many years. Why do we usually wait for the pain before we implement?
Critics might argue that society is making the correct cost-benefit decision in putting of investments in security improvements, and it doesn't make sense to implement before the pain occurs. But in the case of BEAST, the threshold is so low. We've had the fix for many years. Many browsers have had the newer protocols for a long time, but vendors simply did not enable them by default. Most websites have the ability to implement the newer protocols, but their operators haven't. We didn't need to invent anything new. In most cases, enabling an effective defense requires ticking a few check marks.
I know most of society doesn't really care about computer security -- until it impacts them. But we as computer security professionals have no excuse to be so cavalier as to forgo enabling a few check marks to fight this known attack vector. If this threshold of action (or should I say inaction) is too much, what would we do proactively to protect ourselves before the real pain hits? That's the depressing part and bigger question posed by the BEAST attack.
This story, "Now that SSL has been cracked, watch out," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.