The inventor of SSL has labelled recent research into vulnerabilities in the SSL/TLS code as “over-sold”.
The former secure sockets layer (SSL) champion at Netscape, Taher Elgamal, said the Browser Exploit Against SSL/TLS code (BEAST) was “powerful more than necessary”.
Researchers Thai Duong and Juliano Rizzo revealed a vulnerability in versions 1.0 and earlier of TLS which allowed attackers to silently decrypt data that passed between a webserver and an end-user browser.
But Elgamal said attackers would have “better things to do” than copy the exploit.
“If I can put malware on a machine, why should I read SSL?,” he said.
“There is no issue with TLS 1.1 and everyone should be using the latest technologies, but the way this was published is so brash, it is so smart technically, but if I were an attacker I would have better things to do with my malware than read what people are doing, so why bother?”
Elgamal said the exploit was “technically clever” but it was “very over-sold”.
“Trillion-dollar companies are worth going after and I am not defending the hackers, but these issues should be taken care of; this was over-marketed and that bothers me,” he said.
He said the unaffected TLS version 1.1 needs to be adopted by more users.