Should I ignore the BEAST SSL exploit and continue to prefer AES?

Question

Because of the BEAST exploit it seems everyone is saying you should stop using AES and instead use RC4.

I am wondering if it wouldn't be better to continue using AES instead for the following reasons:

1. To exploit BEAST the attacker has to get the client to execute their javascript code. If they can do this then you have an XSS vulnerability in your site. If this is the case wouldn't it be much easier to just hijack the user's session or grab data from the browser window itself and send it that way instead of trying to use BEAST?
2. RC4, which is what everyone is recommending seems to me to be more vulnerable than AES. It is what is used in WEP. Is the implementation used by browsers more secure?

EDIT

I looked at the link in Jeff's answer. To make this exploit work the attacker must be able to make the client communicate with the site for which it wants to decrypt the traffic. SOP should stop this from happening. An XSS vulnerability on the site or a vulnerability in a browser plugin (such as Java, Flash, Silverlight) can be used to bypass the SOP limitation. In the paper they use a vulnerability in Java to do this.

In summary: SOP should protect you against this, but may not. If you have an XSS vulnerability in your site then this is the least of your problems.

EDIT 2

Thomas' answer applies here: What ciphers should I use in my web server after I configure my SSL certificate?

Answer 1

1) This is not exploited through XSS, but through a client visiting a malicious site. The targeted website does not need to exhibit any flaws at all. Details: http://vnhacker.blogspot.com/2011/09/beast.html

2) RC4 in WEP was vulnerable because of an implementation flaw. AES in TLS 1.0 / CBC mode... exactly the same kind of problem. They're still strong algorithms, they just had an error in how they were used.

Browsers are adapting by sending one-byte packets at the beginning of connections. This makes the remainder filled with random padding and thus negates the ability to use chosen plaintext based upon the CBC initialization.

---

Should you change ciphers? Well, RC4 defeats the attack, does not present a known new attack surface, and Google seems to be doing quite well with it. For those reasons, I personally would change it.

Answer 2

For a web application, unless you know your clients are going to be using IE, then you should probably stick to RC4.

For a non-web application just force the client to use TLS 1.1 or 1.2 and the problem goes away.

There is a client side fix, and it is implemented in SChannel (used by IE), but only in the development version of NSS (used by Firefox and Chrome). Last I heard they didn't want to enable the fix for everyone due to it causing issues when connecting to some older web servers. The only server-side fix is to avoid all block ciphers, which means RC4. Which, despite being a 25 year old stream cipher, has no demonstrated attacks against it, as used in TLS 1.0

Answer 3

Not really an answer to your whole question, but RC4 is not inherently insecure. It was just the way WEP used it.

According to SecurityNow! episode 11:

Steve: Well, and, for example, it uses an extremely good cipher technology called RC4. That's an RSA proprietary cipher which is very good for encrypting as long as you use it correctly. And that's really the key. The foundation of WEP encryption, with this RC4 cipher, is extremely strong. But it was used in a very bad way.

Answer 4

RC4 as used in TLS is secure. *-cbc is, in the limited but nontrivial way BEAST exploits it, not secure.

Answer 5

just an update,

As of 2013, there is speculation that some state cryptologic agencies may possess the capability to break RC4 even when used in the TLS protocol. Microsoft recommends disabling RC4 where possible.

source: http://en.wikipedia.org/wiki/RC4

so I prefer AES-128