Taming the Beast (Browser Exploit Against SSL/TLS)

re: Taming the Beast (Browser Exploit Against SSL/TLS)

Kaushal Kumar Panday — Tue, 04 Jun 2013 00:20:06 GMT

Thanks for the comment. I mentioned these as CBC based ciphers (I have never explicitly called this as CBC ciphers).

As you know CBC is a mode of operation. For the readers, here is the Wikipedia article on the block mode ciphers: en.wikipedia.org/.../Block_cipher_mode_of_operation

re: Taming the Beast (Browser Exploit Against SSL/TLS)

site remediation — Mon, 03 Jun 2013 10:14:04 GMT

CBC isn't a cipher, it's a mode (a method of using a cipher). Other modes include EBC, OFB, and CTR, and all of these can be applied to symmetic ciphers algorithms such as AES, DES and Triple DES.

re: Taming the Beast (Browser Exploit Against SSL/TLS)

GlennG — Sat, 15 Dec 2012 02:01:45 GMT

So how does one disable the CBC 'mode' in IIS6?

re: Taming the Beast (Browser Exploit Against SSL/TLS)

Kaushal Kumar Panday — Wed, 21 Nov 2012 22:51:47 GMT

@Brian

It was fixed in MS12-006. You can read more about it here: blogs.msdn.com/.../fixing-the-beast.aspx

re: Taming the Beast (Browser Exploit Against SSL/TLS)

Brian — Wed, 21 Nov 2012 00:51:54 GMT

Was there a fix for this in a Windows update - presume it added the prefered ordering?

re: Taming the Beast (Browser Exploit Against SSL/TLS)

Kaushal Kumar Panday — Mon, 03 Oct 2011 23:55:49 GMT

David, I totally agree with you. CBC is a mode of operation and not a cipher.

I have mostly referred in my blog as "This vulnerability exists in all CBC based ciphers", I noticed that I made a small typo while referring to the CBC diagrams.

Thanks for pointing it out. :)

re: Taming the Beast (Browser Exploit Against SSL/TLS)

David Boyce UK — Mon, 03 Oct 2011 20:13:46 GMT

CBC isn't a cipher, it's a mode (a method of using a cipher). Other modes include EBC, OFB, and CTR, and all of these can be applied to symmetic ciphers algorithms such as AES, DES and Triple DES.