June 19, 2021

Chrome 15 Broke The Wall Street Journal While Trying to Beat the BEAST

(LiveHacking.Com) – Earlier this month Juliano Rizzo and Thai Duong released details of a vulnerability in the encryption mechanism used in HTTPS (Secure Hypertext Transfer Protocol). They also released a tool known as BEAST (Browser Exploit Against SSL/TLS). Consequently browser makers, including Google, have been trying to tweak the SSL implementations in their browsers to reduce the risks from the BEAST.

As part of the Chrome 15 release Google did some SSL tweaking:

The NSS network library was updated to include a defense against so-called BEAST. This defense may expose bugs in Brocade hardware. Brocade is working on the issue.

Well it looks like it did expose problems. As soon as users started to upgrade to Chrome 15, reports started that users couldn’t login to Barrons Online or The Wall Street Journal.

Further investigation by Google revealed that a change, which sends only one byte of data in the first CBC encrypted application data record, broke the sites.

Google back tracked on the change and released Chrome 15.0.874.106 for Windows, Mac and Linux. Since then Barron’s has updated its site, and secure sign-in is now working with 1/n-1 SSL record splitting when using the development build of Chrome 16. No word on what, if any, changes The Wall Street Journal has made to its site.