Protect against the BEAST attack in Nginx

Protect against the BEAST attack in Nginx


What is this BEAST?

BEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. The weakness was discovered in 2002, but finally proven in 2011 by security researchers Thai Duong and Juliano Rizzo. With real proof of concept code, they showed it was no longer a theoretical attack.

To successfully perform the BEAST attack, there are some conditions which needs to be met:

  1. Vulnerable version of SSL must be used using a block cipher (CBC in particular)
  2. JavaScript or a Java applet injection. Should be in the same origin of the web site
  3. Data sniffing of the network connection must be possible.

Protecting against BEAST attack

While it is interesting how the attack work, it is even easier to start protecting your systems.

To guard against the attack, we have to define what ciphers we allow. Secondly we have to set preference of the ciphers to the side of the server (instead of the client). Next we define what protocols we want to use, resulting in older SSL versions to be disallowed.

ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Regarding the ciphers we can be more specific. We list specifically what ciphers we want to allow by defining the full list:


Now it’s time to test your Nginx configuration and restart your daemon. Want to be sure about your HTTPS configuration? Do the test with the great tool from Qualys:

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *