Swiss Researchers Find A Hole In SSL

in4mation writes "The folks at LASEC have found a flaw in the SSL protocol. Quoting Professor Serge Vaudenay from a BBC article the security problem is in 'the SSL protocol itself and not in how we use it or how we implement it.' Apparently the flow only affects webmail and not banking or credit card payments and took less than an hour (160 attempts) to crack." Update: 02/20 20:52 GMT by T : Kurt Seifried writes to say that this is almost exactly wrong: "The flaw is in IMPLEMENTATION, NOT THE PROTOCOL. Due to the way error checks are handled an attacker can find out which error condition occurred by measuring the response. The solution is trivial, a path that forces OpenSSL to do the second check even if the first one fails, thus denying the remote attacker any information as to which exact error condition occurred." He includes a link to the security advisory at openssl.org. Update: 02/20 21:49 GMT by T : Read on below for some more information from SSL 3.0 designer Paul Kocher.

Kocher, President & Chief Scientist of Cryptography Research, Inc., writes:

The referenced paper (http://lasecwww.epfl.ch/memo_ssl.shtml) describes how timing variations in SSL/TLS implementations can be used in certain situations to slowly gather information about encrypted data. If the certain conditions are met, the attacker can decrypt some information from the message (e.g., a password). Strictly speaking, the fact that implementations reveal sensitive information in timing channels is an implementation issue, not a flaw in the underlying cryptographic protocol. This doesn't make the issue unimportant, however, and timing attacks are big deal for implementers because they are easy to introduce, notoriously tricky to detect, and often difficult to eliminate.

Answers to general questions:

1. Is it still okay to send my credit card number over SSL? Yes. This attack is not applicable to web shopping and there are much easier ways that fraudsters steal credit card information (e.g., breaking into merchants' web sites -- a problem that SSL can't solve). In any case, the bank is generally responsible if someone steals your card info.

2. Is the paper "real" or another bogus "I broke SSL" claim? The paper is legit. The Slashdot announcement suggests that SSL itself is broken, however, which is a bit misleading.

2. Is this a practical attack to exploit? Cryptographers need to be paranoid about unexpected situations. As a result, attacks can be important even if they are not practical to exploit under real- world conditions. The attack described in this paper is similar; while there are quite a few preconditions for mounting the attack, this does not make the research unimportant or mean that people should ignore the work. Specific requirements to mount the attack include:

• The session has to use CBC mode. The vast majority of SSL connections use RC4, for which the attack is not applicable. Because of the algorithm negotiation used in SSL/TLS is secured in the initial handshake, man-in-the- middle attackers should not be able affect the outcome of the algorithm selection process.

• The attacker has to act as an active man-in-the-middle attacker. Passive eavesdropping is not sufficient.
• The server's SSL implementation has to be vulnerable (see #3 below). The protocol also has to be oblivious to repeated failures.

• The target protocol also has to have some very specific characteristics that allow the adversary to form the right kinds of messages. For most uses of SSL (e.g., normal web browsing), this type of attack does not generally apply.

3. Can affected implementations be fixed? Yes. OpenSSL has been updated (http://www.openssl.org/news/secadv_20030219.txt). For more information, also see http://www.openssl.org/~bodo/tls-cbc.txt. I don't know what other vendors/projects are doing.

4. Is this an issue for the client or the server? Normally, this would only be an issue for the "server" (i.e., the party that receives the connection request), since normal SSL clients don't automatically large numbers of connections.

A couple of final comments:

I'm constantly amazed by the number of ways that it's possible to screw up security. Overall, SSL 3.0 seems to have aged well, but I wish I'd done a better job of handling errors in the design. In particular, error handling was involved in both of the attacks against SSL that I consider non-obvious, notably Bleichenbacher's attack and CBC-padding attacks such as this one. While these types of attacks weren't known when I was designing SSL 3.0, I generally wish I'd provided less information in error messages.

Finally, I also want to give thanks everyone who has helped to study SSL's security, contributed to implementations, and helped shepherd it through the standards processes."

Less than an hour huh??

So if i have 60 machines working on it I'll be through in less than a minute??

Re:Less than an hour huh??

no. much the same way that one woman can make a single baby in nine months, but nine women can't make one baby in one month.

it's the amount of traffic generated that takes time, and you want to camp outside a server to see enough traffic to break the key.

ashridah

SSL mail

how many of you actually use webmail? be cool and use good ol' command line mail!!!

Re:SSL mail

I use mail. Mod up parent to show my support.

-Anon

Re:SSL mail

[scovetta]

My college required students to telnet into their vax machine to retrieve mail up until about 4 years ago, when they trashed everything and went to novell webmail.

I figure this flaw won't affect them till maybe 2015 when they decide that IMAP might be the way to go.

(shrug)

Re:SSL mail

[kfg]

My parents use webmail all the time. They're travel writers and webmail allows them to send and receive mail from anywhere in the world they can gain web access.

For such people webmail can be the difference between having email and not.

That said I'm with you on text mode for mail. It's resource friendly and easy to read. After a few obligitory years of going gaa gaa over WYSIWYG, fonts and white backgrounds I've discovered that, oddly enough, text mode is the ideal method of handly pure text.

Go figure.

KFG

Re:SSL mail

[Forgotten]

It doesn't matter whether you're using webmail (the article is mistaken in this respect). The issue is if you're doing regular periodic mail checks to a POP or IMAP server where you authenticate over a TLS channel. Because you're constantly sending the same credentials, the SSL/TLS weakness can be exploited and the credentials extracted. This is as true of Pine as of Eudora or a browser that keeps refreshing the inbox page. It's somewhat akin to the way 802.11 WEP's weakness is exploited.

It's long been obvious that periodic mail checks are a great sniffing opportunity for credentials (especially since many people are using the same userid and password elsewhere). Doesn't surprise me that it can also be exploited to break SSL/TLS. From that angle I would say that part of the overall issue is after all the way we're using TLS (though the underlying leakiness is how the exploit actually occurs). The problem is, what do you do instead?

Re:SSL mail

Thank god for Acronymfinder.com

=P

Re:SSL mail

[kfg]

What, you didn't know what gaa stood for?

KFG

Re:SSL mail

I still don't know. What does gaa stand for? dipshit!

Re:SSL mail

[Erik+Hollensbe]

Note that those of you who use fetchmail to gather from IMAP over SSL will be affected as well.

Re:In other news...

It's not a real security flaw -- it's a honey pot.

And I've already been there.

Ugh...

[Anonvmous+Coward]

"Swiss Researchers Find A Hole In SSL"

Isn't that their style?

Yeah, I know, that joke was cheesey.

Re:Ugh...

Thank god it's didn't read Swiss reasarchers discover A SSL Hole. The goatse links would kill us. Besides there's already one in Washington, just ask anyone in the middle east.

Re:Ugh...

[Dr+Caleb]

"Swiss Researchers Find A Hole In SSL"

Did anyone else read that as "Swiss Researchers Find A-Hole In SSL" and think, "How did he get there?"

Re:Ugh...

"Swiss Researchers Find A Hole In SSL"
Isn't that their style?
Yeah, I know, that joke was cheesey.

Wow, that's like recursive or something.

Re:Ugh...

[frenetic3]

Did anyone else read that as "Swiss Researchers Find A-Hole In SSL" and think, "How did he get there?"

No. No, man. Shit, no. I believe you get your ass kicked saying something like that. :P

-fren

Re:Ugh...

[Anonvmous+Coward]

"Did anyone else read that as "Swiss Researchers Find A-Hole In SSL" and think, "How did he get there?"

Close, I thought it said SNL. It made perfect sense until I stumbled across the word 'protocol'.

Re:Ugh...

[Chatterton]

Just for the fun. Swiss Emmenthal is the only one with no holes :-) The French one has holes :-)

Wait...

What are the actual implications of this hole? "A different kind of SSL" ? Do they just mean a different cypher/key-strength? And if so, it's then fairly technically incorrect to state "it's just webmail" since last I checked, SSL doesn't know or care about the data being transmitted, and isn't going to up and change the protocol features based on if it's webmail or online shopping; any idiot using the broken/weak encryption would be screwed no matter what data is being transmitted.

Also, the hole was "passed on to the developers, and will be fixed in the next version of the software." So what, is this just some particular implementation of the SSL protocol? Is it MS', OpenSSL's, whose?

Re:Wait...

[Oculus+Habent]

Webmail is insecure because it resends the same data (username & password) regularly to the server. Credit Cards submissions and sign-in pages are unlikely to keep sending the same data repetetively.

Of course, we just need a better webmail application, and you'll be fine.

Re:Wait...

[lazira]

last I checked, SSL doesn't know or care about the data being transmitted

Only email is vulnerable because email programs automatically check for new mail at regular intervals. This vulnerability requires that the password be sent frequently to the server. In most other transactions, it's only sent once.

Re:Wait...

[ADRA]

You are right, and the poster was wincorrect. The article says that the attack can hack ecommerce. As well. The IMAP example was use to show a real-world situation where this situation applies.

When hitting an ecomerce site, you would generally surf more than one page, no?

Re:Wait...

[coolgeek]

Well, the authentication/authorization system I have just completed for my web applications sends the password once. A cookie is returned to the user as a Session ID. The Session ID is good only for the very next transaction. Upon completion of the next transaction, the Session ID is rotated to a new value, which again is good for the very next transaction. It's really only a couple of extra lines of code to implement.

Re:Wait...

[Oculus+Habent]

What happens if someone wants to open a link in a new window, or work on two sections at the same time?

Not trying to downplay the concept, just interested in the implementation.

Re:Wait...

[coolgeek]

Just to level set, I'm coding in mod_perl. All cookies are set and checked at the server. It may be different for .asp implementations, but I wouldn't know because I've never done that. Definitely using Javascript on the client side to modify cookies will lead to the kind of issues I imagine you are envisioning (or experiencing).

Since the cookies are rotated by the server, the browser sends the same cookie for "open link in new window"; at least all the browsers I have checked. (I am curious if you have experienced otherwise, and will appreciate any sharing) After the new window is up and loaded, the new cookie is in the browser, so the old page will send the new cookie on the next click, or to step back and view the whole scenario, any page will use the latest cookie on hand when building a HTTP request.

Not sure exactly what you mean by "two sections", however taking a stab at it, I open different tabs in Mozilla to different parts of the same application.

What is a problem is accessing multiple documents simultaneously. For certain pages, like where several images from a secured area are returned, the images do not rotate the cookie, rather each page does. Technically, I know this constitutes multiple HTTP transactions...I really mean a transaction from the user's perspective. I apologize if you now find my post somewhat misleading. Using mod_gzip (and a server with adequate bandwidth) helps keep the user from opening a crapload of extra windows, mitigating this effect. Other UI tricks can be used to ensure only one page at a time is requested from the server.

Re:Wait...

[krogoth]

No it doesn't. Sites using HTTP-Auth, which sends information with each requrest, might be vulnerable, but the reason that they got the IMAP password within an hour is that the client was checking every 5 minutes and it had to send the password multiple times each time it checked for new mail.

Wow

The article (the LASEC memo) cites standard, well-known weaknesses in block ciphers. I haven't heard anyone give some of their specifics before (timing attack might be possible with encrypted error messages, for instance), but it's not really a breakthrough.

Re:Shit...that's a good third post!

I'm honored to have been your first target. Thank you.

Shit...that's a good troll!

--thr0d

The Swiss

[bytesmythe]

Those damn army knives have a tool for everything nowadays...

OpenSSL new version has fix already

[linuxbaby]

Since not everyone reads the article, don't miss this line from it:

In the case of openssl [9], a new version has already been released (0.9.7a) with a countermeasure against our attack.

Released yesterday: http://www.openssl.org

Re:OpenSSL new version has fix already

Does anybody know HOW this countermeasure works?
(Just curious)

Re:OpenSSL new version has fix already

[cicadia]

The attack works because the attacker can distinguish between an error in the message padding and an error in the MAC, by careful timing of the wait for the response from the server.

This is possible because SSL implementations typically abort processing a message immediately if the padding is incorrect, without testing the MAC, meaning that they respond a couple of milliseconds sooner than they would have if the padding was correct.

The openssl countermeasure is simply to perform a MAC test in all cases, whether the padding was correct or not, before returning an error to the client.

Re:OpenSSL new version has fix already

> Does anybody know HOW this countermeasure works?

Presumably the countermeasure was created by a human, so the answer to your question would be yes.

Re:OpenSSL new version has fix already

[Lazar+Dobrescu]

The attack is based on timing (calculating the time taken by the server to respond to the client, and deducing part of a password from that time), so I guess one way to defeat it would be to insert some random delay before sending a response, so the attacker can no longer rely on the timing meaning anything...

Re:OpenSSL new version has fix already

The distributions of the delays would be shifted but the underlying delays would still be detectable. It would take much longer to crack the password, but the attack would still be feasible.

Re:OpenSSL new version has fix already

[aridhol]

Not if there's a random amount of delay added in every error condition. The current problem is that different error conditions have different timeouts before responding with an error, so you can tell which one you have by whether the delay is short or long. If the delay is random with a large enough range, then a "short" delay may end up longer than a "long" delay sometimes, but not in other cases.

Re:OpenSSL new version has fix already

[RadioTV]

Random number generators aren't truly random - they will eventually repeat. This would make things an incredible amount harder, but not impossible.

Re:OpenSSL new version has fix already

[Lil'wombat]

So this is really a variation on brute force attacks on login/password combinations. Where you don't know a username to begin with and the system is dumb enough to tell you if it is the username or password that is incorrect.

Re:OpenSSL new version has fix already

[aridhol]

Pull the values out of /dev/random, the same source of randomness that's used for most cryptologically strong randomness.

Re:In other news...

Ha ha ha! Very amusing :)

joke?

Speaking of holes... If Iraq enters Turkey from the rear, will Greece help?

BASIC?

[sharph]

An SSL-enhanced browser such as Internet Explorer or Netscape Navigator uses encryption to scramble the data you send to a web site into an unintelligible string of seemingly random characters. A typical transaction is a browser sending the contents of an order form to the server, checking emails on an IMAP server, using BASIC authentication to access a password protected part of a website, etc. Let's look at an example showing the difference between unsecure and secure transactions:

Of course its insecure, they programmed their security in basic. (I'm smarter than this. It's a joke... Laugh.)

Not so sure

[oldstrat]

This looks like a 'man in the middle' attack to me, not so much a failure of ssl.

The details are at best sketchy, anyone else see it this way?

Re:Not so sure

[punkball]

Not quite. Read the vuln again. This assumes you don't have any knowledge of keys yet.

Re:Not so sure

[Stephen+R+Hall]

However this was done, SSL has been cracked, so there must be a vulnerability in SSL. The article states that the "loophole" has been closed, so there was something to fix.

Re:Not so sure

[meshko]

no, I think you are the only one. Sorry.

Re:Not so sure

[LJPeixoto]

SSL is supposed to be imune against "man in the middle" attacks, so if its vulnerable, its a SSLs failure.

Re:Not so sure

[punkball]

SSL is not immune to man in the middle attacks. Where did you get that?!? Any public key system is vulnerable during the first key exchange.

Re:Not so sure

[n.wegner]

The key exchange is not vulnerable if the encryption is secure. Your private key is the only thing that can decrypt your messages; your public key can't.

Re:Not so sure

You're assuming you have some way of knowing that the public key you receive from your peer belongs to the person you think it does. If you don't have a way of assuring this, such as a trusted certification from a third party (central or otherwise) or a priori knowledge, then a "man in the middle" can intercept all traffic. Hence, a vulnerability during initial key exchange.

Re:Not so sure

[blibbleblobble]

"This looks like a 'man in the middle' attack to me, not so much a failure of ssl."

Okay. I recently suffered a man-in-the-middle attack. I was faced with the choice of using insecure alternatives to communicate, or not being able to read email or update my website.

My family quite often have problems with secure email. It doesn't take a genius to work out that when their secure email fails, they turn it off and write plaintext emails.

MitM attacks are not to be sniffed at. With the clueless [or deadline-pressed] public, you can defeat encryption just by scrambling it.

Re:Not so sure

[punkball]

Quick response: you don't know what your talking about. Read about public key cryptography sometime.

Re:Not so sure

I always write plaintext emails - I guess I'm not enough of a geek to do GPG in my head.

Re:Not so sure

[hackwrench]

But what if you think that someone else's public key is the public key of the person you are trying to talk to?

Re:Not so sure

[blibbleblobble]

"I always write plaintext emails - I guess I'm not enough of a geek to do GPG in my head."

That's probably about right in Windows (cut'n'paste to PGP is an ass, and you can't browse your email folders), but believe me, it becomes a lot easier when you get KMail running.

KMail will just ask you once for the passphrase, and then display encrypted email messages as normal - lovely. The only difficulty is that it can take some time to get GPG itself working, or to import keys. Anyone's welcome to email me to ask for help.

On Windows, the easiest way is to pay $30 for The Bat[ritalabs.com] which includes its own PGP implementation, or Enigmail[projects.mozdev.org] which works with Mozilla mail and GPG. Both of those systems are excellent email clients, with encryption just the icing on the cake.

Don't be tempted to use PGP plugin with Outlook or Express. It has the potential to crash the program, and leave you unable to even see the encrypted text.

A different kind of SSL?

[griffjon]

"But the researchers say the loophole does not apply to credit card transactions, as banks and e-commerce sites use a different type of SSL (Secure Sockets Layer) technology"

Um? Well, are they talking about 64 vs 128 bit keys? The article later indicates it's a weakness in sending the same password often within one session, which would be actually, an implementation problem as opposed to an SSL problem. Anyone have a mirror of the actual paper and not ust the bbc article yet?

Re:A different kind of SSL?

The problem comes from forming the same strings, crypting them and sending them over and over again. Banking sessions, etc, do not send your authentication tokens over SSL many times, they simply send once, and then set a secure cookie.

This cookie would be vulnerable (it gets sent with each request) except that each HTTP request is formed with a fair amount of variance in it. More data goes back and forth (requests for HTML files, graphics files, etc) so there isn't that one little message being sent many many times.

Again, RTFA. The problem comes from the same message being crypted and sent again and again. This is why only very specific things are vulnerable.

Re:A different kind of SSL?

[in4mation]

Here's the article itself

Re:A different kind of SSL?

[griffjon]

RTFA doesn't help -- but RTFP (paper) did. It was just /.ed when I first clicked. Ya gotta admit, the article was pretty unhelpful about what was going on.

Re:A different kind of SSL?

[cicadia]

It sounds like the BBC reporters may have actually talked to the researchers, rather than just repeating what they posted online.

Most people here seem to be latching on to this quote, as well as the one on the swiss site which mentions that other web-based services using SSL may also be vulnerable, and assuming that a contradiction exists.

By "a different type of SSL," they may be referring to the SET protocol that machines use when communicating directly with credit card companies. It's been a long time since I looked at SET authentication, but it may not be vulnerable to this sort of attack.

I can imaging the BBC reporters learning this, through talking to the researchers, and eventually coming up with that line, which implies that e-commerce sites over SSL are safe (which is very likely wrong)

Re:A different kind of SSL?

[Forgotten]

Actually a cookie such as you describe might well be vulnerable to a leaky-cipher problem like this one, since the HTTP headers are reasonably large, uniformly located (in part because of the punctuated way HTTP is used between browser and server), and generally much the same for subsequent requests. It seems this would probably be worse for, say, RC4 (for the same sorts of reasons as WEP is breakable).

This is why the cookie is only good for a session and has a short timeout. You may be able to grab some candy, but you can't steal the whole store.

Re:A different kind of SSL?

[Omnifarious]

SSL shouldn't be vulnerable to you sending your password several times within the same session, so it's an SSL vulnerability. The vulnerability does not depend on key length in any way. It takes advantage of some well known security weaknesses in CBC, combied with the server leaking certain information via message timings that it shouldn't be.

The vulnerability merely requires that there be a predictable message in which everything in the password occurs in a predictable location.

Re:Spelling Natsi

[B3ryllium]

I think slashdot denies responsibility for this by saying that contributors are responsible for their own spelling.

But what if I'm a repetitive compulsive buyer?

[djeez]

I don't know, maybe I'm going to buy 160 different items, one at a time, each time sending my credit card number.

Re:But what if I'm a repetitive compulsive buyer?

[T-Daddy]

Me I'm just impatient and I keep clicking that submit button until something happens.

Re:But what if I'm a repetitive compulsive buyer?

I knew one day I'd be glad of my 160 different credit cards!

They just keep sending those pre-approval forms, and I keep filling 'em in...

Re:But what if I'm a repetitive compulsive buyer?

[cachorro]

No need to worry about this attack.

You will self-destruct without assistance.

Cyber-darwinism at its best.

Re:But what if I'm a repetitive compulsive buyer?

[Some+Dumbass...]

I don't know, maybe I'm going to buy 160 different items, one at a time, each time sending my credit card number.

That's why eBay is still in business...

Heise and OpenSSL developers tells the opposite

[kju]

Regarding to what the heise newsticker wrote, this fix IS actually in the implementation and was fixed in OpenSSL 0.9.6i and 0.9.7a. So who is right?

Heise says: "OpenSSL developers already reacted and issued versions 0.9.7a and 0.9.6i of openssl, which close this security flaw. In a posting on bugtraq they recommend this update for all users." (translation done by me).

I have read the bugtraq announces as well, they specifically state that the update DOES fix this bug. So it is NOT a bug in the SSL protocol itself, but in the implementation, at least regarding to OpenSSL developers.

Re:Heise and OpenSSL developers tells the opposite

Coincidentally, Gentoo Linux already has an ebuild for OpenSSL 0.9.6i.

My laptop was protected against this attack before I knew it existed. :-)

Re:Heise and OpenSSL developers tells the opposite

[nestler]

It's a slight bug in the SSL protocol that is entirely fixeable in the implementation.

The bug in the protocol is that the RFC says that for block cipher decryption errors, you should report a "decryption failed" alert but for MAC errors you should report a "MAC error" alert. This opens you up to attacks.

A good implementation will report "MAC error" in both cases, and take the same amount of time to do that reporting in both cases (this is what OpenSSL's fix does). This doesn't follow the RFC but it shuts down this avenue of attack.

So OpenSSL is safe and the Heise was overstating things in a very misleading way.

Re:Heise and OpenSSL developers tells the opposite

> Coincidentally, Gentoo Linux already has
> an ebuild for OpenSSL 0.9.6i [gentoo.org].

And in a few weeks when Gentoo is done compiling you'll be able to use it!

Re:Heise and OpenSSL developers tells the opposite

[blibbleblobble]

Interestingly, the research notes that the email program tested was set to check all of its accounts every 5 minutes, thus scuppering any security that relies on timestamps. Somewhat offtopic, but certainly an interesting thing to note for people designing systems.

Re:Heise and OpenSSL developers tells the opposite

Why is this a bug in the protocol? It doesn't say that you *can't* still do the MAC. All it does is differentiate between a MAC problem and a decryption problem. I imagine this was done to ease debugging problems.

Re:Heise and OpenSSL developers tells the opposite

[lazyl]

Not quite.

The error messages are encrypted. The attacker can't read them. All his information is based on timing. Because of the implementation a padding error will return faster than a MAC error. After sufficient attempts the attacker can statistically guess which error he's getting. That info can be used to crack the cipher.

I don't know the details of the OpenSSL fix, but they don't have to change the error message to fix the problem. They just have to change the timing. So it's purely an implementation problem; nothing to do with the protocol.

I don't know why Vaudenay said (in the interview) that it was a problem with the protocol because according to the LASEC memo, it's not. Vaudenay didn't write the memo, so it's hard to guess how directly involved he was with the work. The project is based on a method of attacking SSL developed by Vaudenay though. From the memo:

In 2002, Vaudenay [10] presented an attack which enables the decryption of blocks provided that error messages are available (as a side channel attack) and sessions do not abort. This is not the case with TLS/SSL. We can solve the latter problem in the case where a TLS/SSL session includes a/several critical plaintext block which is/are always the same (e.g. a password). The former problem of availability of error messages (encrypted in TLS/SSL) is solved by performing a timing attack i.e. by measuring the taken for error messages to come back from the server. It is then possible to perform the attack over several sessions of TLS/SSL.

Re:Heise and OpenSSL developers tells the opposite

GenTooo GenTOO! GenTOOoo! DOOOD - I am so glad you brought up Gentooo! Gentoo is the roxorz. Stoopid redhat cant touch a candlestick to it nor even debian (== pretensus!!)!!! My l333t boxen my mom gave me (Pentim5,noless) runs 5x faster than anything else even mandrake (window$ wannabe). Just run with -funroll-all-the-loops and youll be screaming in all yur appies! GenTOO, Gentooo, Gentooooooo!

Gentoo user, over and out!

Re:Heise and OpenSSL developers tells the opposite

[nestler]

You are correct that they didn't need to change the alert code to fix the problem. I mispoke due to confusion from reading their code before yesterday's fix. Even before the fix, their code made sure to return the same alert in both cases, but there was still a timing difference because of the MAC computation.

Although returning the different alert codes isn't specifically what opens you up to vulnerability (because as you noted the alert codes are encrypted), the fact that the RFC has different alert codes for these scenarios leads the implementer down the path of handling them differently (which will easily lead to timing differences if you aren't careful). There is no good reason to have two different error codes for these two conditions in TLS (SSLv3 got it right here and only had a single MAC error code). Two separate error codes leads implementers towards vulnerable implementations.

An analagous attack is the Bleichenbacher attack. The TLS RFC explicitly states what implementers should do to avoid that attack (treat bad PKCS#1 padding just like a bad Finished message). However, instead of having some helpful note about this, the RFC has a very unhelpful suggestion to send a separate alert code for a condition that needs to be treated identically in terms of timing.

No, they didn't know this attack then, but they violated the principle of not revealing more error information than is necessary. They went into detail describing how not to leak to much information about PKCS#1 padding, but then they did not follow their own advice about block cipher padding.

Uh oh...

[fritter]

But the researchers say the loophole does not apply to credit card transactions, as banks and e-commerce sites use a different type of SSL (Secure Sockets Layer) technology.

Then after imploring those present to "kiss the rings", they emphasized that using your credit card was still entirely safe, and sped off in their newly purchased Mercedes-Benz M-Class SUVs.

Re:Arg!!!!

[delta407]

Relax. It's a possible attack when plaintext is repeated over multiple sessions and a non-critical error occurs that forces a key renegotiation, not something a script kiddie will run and get a list of every credit card number on amazonl.com.

Besides which, openssl 0.9.7a was released yesterday, and it addresses these issues.

An Hour...

[RyansPrivates]

Yeah, but who's got an hour to spare these days...

Spelling error

Anyone else notice that the incorrect word 'flow' was used instead of 'flaw'? Faggots.

banking too

[sarice]

"Apparantly the flow only affects webmail and not banking or credit card payments"

The article didn't make that claim, and in fact says:

TLS/SSL are used in other secure Internet applications such as e-banking and e-commerce meaning that an attacker could potentially intercept banking transactions, credit card numbers, etc.

Re:banking too

RTotherFA:
But the researchers say the loophole does not apply to credit card transactions, as banks and e-commerce sites use a different type of SSL (Secure Sockets Layer) technology.

Re:banking too

[Bishop]

obviously TotherFA is in error.

freudian slip

Apparantly the flow only affects webmail

Looks like it's someone's time of the month...

Huh? We must not have read the same article...

[aborchers]

Apparantly the flow only affects webmail and not banking or credit card payments

The linked article reports a timing-based attack that could be used to identify passwords when the encrypted message is repeated, as in the case of communicating with an IMAP server. IMAP is not webmail, it is a mail protocol (a popular alternative to POP3) that is frequently secured with SSL/TLS. Once the password is cracked, it could be used to compromise other resources if the IMAP server and those other resources share the same password. It may not be likely that your bank provides your IMAP server, but it is not as unlikely that an IMAP account might share a password with other network functions that you'd want to keep secured...

Re:Huh? We must not have read the same article...

[meshko]

obviousely poster has no clue. Not only IMAP has nothing to do with webmail, but nothing says that only IMAP is vulnerable. The researcher just used IMAP to test exploiting the vulnerability, because Outlook keeps sending the same message every 5 minutes (which is questionable from the security standpoint in itself) and hence it was the easiest target.

Re:Huh? We must not have read the same article...

[rp44]

Well actually it's any application where interesting plaintext is sent at a known offset in the conversation over and over again.

I think that this means that HTTP Basic Auth over buggy SSL is vulnerable (in other words password protected web pages). Remember that the Auth header is sent in each and every page request, although its absolute offset in each HTTP req will vary with URI length in the GET/POST header. If this is known though...

Re:Huh? We must not have read the same article...

[aborchers]

Precisely. IMAP is a particularly good example of a target because the same block of text is sent on a predictable interval when the mailer is set to check for mail every n ticks. I can't think off hand of that many password-protected web apps that refresh with the regularity of an IMAP client/server exchange, but you're right in noting that anythng using SSL and repeating an exchange is vulnerable.

Re:Huh? We must not have read the same article...

[mabinogi]

Outlook is completely fucked then....

It should keep the connection open, and only resend the login details if the server disconnects.

I'm convinced that Microsoft deliberately makes Outlook so bad at IMAP to force people to use Exchange instead....

sorry, too early in the morning, not enough coffee, and suffering flashbacks from battling with Outlook and IMAP (Netscape messenger does it so much better, but everyone insists they 'need' Outlook).

Re:Huh? We must not have read the same article...

yeah, outlook is a super poor product, yet everyone loves it.

"i have some stupid method for renaming my address books so viruses cant get it"

i have a better method, DUMP outlook, you know its garbage, its feature poor and prone to horrible problems, i have a car for you, its called a yugo

Re:Huh? We must not have read the same article...

[ak_hepcat]

Hmm. I don't think this would be work in the field, unless the attacker had a very good idea of what the underlying infrastructure of the website was.

Since everything is encrypted, how would the attacker know if you were using authentication, or just surfing blindly over SSL? There's not going to be anything in plain text to differentiate between the two types of sessions.

Or am I missing something here?

Re:Huh? We must not have read the same article...

[aborchers]

About the only example I can think of would be a Web mail or similar application that a user would refresh at intervals. Perhaps an attacker could watch many sessions and, once a recurring pattern is noticed in one, could zero in on that one for the timing attack?

This is all very hypothetical, and I agree that it is unlikely to work in the field. IMAP is a much better target.

Phew!

[LongJohnStewartMill]

Thank god I'm using Telnet!

Re:Phew!

[JM+Apocalypse]

You are safe -- for now.

You just wait until you accidentally mistake a web browser for telnet ... then you will be sorry.

(place evil laugh here)

(got to the whitepaper)

[griffjon]

Sorry, the article was just a bit... short, dramatically so, on the details. The article explains the process involves an attacker interacting with (Sending 'bad' blocks to receive useable info via the errors reported) the server, which would be more possible in an IMAPS tyle use, but less so in most web apps.

I thought the article was already /.ed when it didn't load. Sigh. here's wishing for better knowledge of crypto among tech reporters.

Article was totally off

[TBC]

Reading the BBC Article, they totally missed the point of the original article. It's not webmail that is a problem, but TLS/SSL encrypted IMAP or POP3 sessions. No self-respecting web-mail application sends the user-name and password with every screen. Most use a session key after login. It's not a big deal for webmail users, but for those who use TLS to connect to their IMAP/POP servers, it's an open window.

Re:Article was totally off

[RAMMS+EIN]

``No self-respecting web-mail application sends the user-name and password with every screen. Most use a session key after login. It's not a big deal for webmail users''
Not too fast there! Supposedly, the session cookie stays the same during the whole session. This means that there is potential for sniffing the session cookie, after which the session can be hijacked. This only works if the position in the stream of the session cookie is known, but the same applies to the position of the password in the IMAP example. This means that the vulnerability is there for webmail, e-commerce, ... as well. Granted, sessions cookies could well be reused fewer times than email passwords, but a cracker need only hijack your session once to do his thing...

---
Build a better mouse trap... and you'll be sued by someone who patented mouse trapping devices in 1993.

holy fuck!

[Mourgos]

That's what I screamed while cold sweat was dripping down my face.... and then I continued reading and saw that it still is safe to use my credit card. Hmm.... yeah I see how 'hackers' will go for my e-mail password first.

Re:In other news...

There's probably some good flow coming from that to...

One hour?

[chronus22]

I would note that the one hour figure is for a dictionary attack, implying that the password was, in short, a bad one (not many universities/corporations would even allow a normal word as a password for one of their accounts). If a brute force method is used on a 256 character set, the time required is about 26 times as long (26 times greater complexity). Still a major hole, but more than a day is quite different from an hour.

Re:One hour?

[wirelessbuzzers]

They didn't say it was a dictionary attack on the password that took only an hour. Furthermore, if the description they gave was correct, their attack should be linear in the length of the password, not exponential. This means that it can be cracked easily in a few hours with brute force anyway.

Re:One hour?

[chronus22]

Yes, they did. RTFA: "We have used the data collected to draw Figure 1 in order to compute the upper and lower bound of our decision interval and complexity value C for a given success probability for both brute force and dictionnary attacks. These values can be seen in the tables below where p represents the probability of success of the attack and C is the complexity i.e. the number of sessions needed to perform the attack." The dictionary attack is listed as c = 166 when p = 0.5, and a 256 character alphabet is listed as c = 4239 with the same p. Therefore, a brute force attack took approximately 4239/166 = 25.54 as many attempts, and therefore that number of times as long.

Bank / E-Commerce is also vulnerable (possibly)

[Ryquir]

Commentor says: "Apparantly the flow only affects webmail and not banking or credit card payments and took less than an hour (160 attempts) to crack."

The actual linked article says: "TLS/SSL are used in other secure Internet applications such as e-banking and e-commerce meaning that an attacker could potentially intercept banking transactions, credit card numbers, etc."

Nobody should dismiss a vulnerability just because the exploit was used againest something that "doesnt'" matter. SSL use with IMAP, POP, FTP or any other protocol all relates to each other. Thus a vulnerability in one can lead to more understanding and discovery of more vulnerabilities.

Re:Arg!!!!

[Deth_Master]

But if you RTFA then you would know that there is a fix already out there for the Linux community at least.

In the case of openssl [9], a new version has already been released (0.9.7a) with a countermeasure against our attack.

And I'm glad I was told about this, now I can go and update my server with the latest version of openssl and recompile stuff that links against it, and I'm now secure against the Swiss :)

flaw is easily avoidable; use RC4

[nestler]

The easiest way to avoid this flaw (which unfortunately few people know because of all of the poorly written hype) is to use RC4. The flaw is only present when using block ciphers, and RC4 is a stream cipher.

This measure can be taken on the client side by setting your browser's SSL preferences. All good SSL-enabled browsers (Mozilla, Opera, etc.; basically anything except IE) will let you disable non-RC4 ciphers for SSL. Turn off RC2, DES, 3DES, and AES. Only leave RC4 suites (or C4 suites as they are called in Opera).

This measure can be taken on the server side by configuring your web server's SSL configuration to only support RC4 cipher suites (RC4 is the only stream cipher defined in SSL).

If you are using OpenSSL, they made a new release (0.9.6i and 0.9.7a) yesterday that prevents this attack from working. Basically, they made the new code take identical amounts of time for the block decryption failure vs. the MAC failure which thwarts the timing attack described by LASEC. Even their old code has been smart enough to report the same error on the wire, but the old code had a timing difference (block error would skip the MAC computation).

This is not the end of the world. This is not an insurmountable flaw in the SSL protocol (although they really shouldn't have specified block decryption error as one of the alert types in the first place).

Just use RC4 for now and upgrade your web servers when you can.

Re:flaw is easily avoidable; use RC4

[arivanov]

RC4 has a history of implementation flaws. It is a good algorithm but it is quite often applied to the wrong problem and IMO anything that is not classic stream and has known plaintext fragments is a "wrong problem". The results of such misapplications are well knonw. MSFT 40 bit PPTP, WEP are just a few fine examples.

So for this specific case I would personally run away from RC4 like hell.

Also, in order to do this attack the attacker has to a be a man in the middle with capability to intercept and replace traffic. Outside the scope of a university campus network the possibility for such attack is becoming a very rare occurance as most networks do not have a suitable point to do this without exposing yourself.

Re:flaw is easily avoidable; use RC4

Amen. Use SEAL if you need stream ciphers. It doesn't have any issues like RC4 does regarding intellectual property.

Re:flaw is easily avoidable; use RC4

[nestler]

Amen. Use SEAL if you need stream ciphers. It doesn't have any issues like RC4 does regarding intellectual property.

Seal is patented by IBM (p. 400 of Applied Cryptography) while RC4 is not patented at all (despite its sketchy past as a "trade secret"). Also, there are no SSL ciphersuites defined for SEAL, so you wouldn't interoperate with anyone.

So using SEAL wouldn't actually be useful and it is even more constrained with respect to intellectual property than RC4 is.

Re:flaw is easily avoidable; use RC4

[nestler]

RC4 has a history of implementation flaws. It is a good algorithm but it is quite often applied to the wrong problem and IMO anything that is not classic stream and has known plaintext fragments is a "wrong problem". The results of such misapplications are well knonw. MSFT 40 bit PPTP, WEP are just a few fine examples.

Those are examples of crypto protocols that were designed by non-cryptographers. SSL/TLS does not fall into that category. Those vulnerabilities were due to very stupid key derivation algorithms ("let's add three to the last RC4 key and use that...").

SSL's use of a PRF to generate the key material gets around the RC4 key derivation problems present in WEP and in PPTP. The last couple of SSL protocol problems have had to do with block ciphers. RC4 would have protected you in all cases; both this one, as well as an arlier theoretical result about mac-then-encrypt security protocols.

Re:flaw is easily avoidable; use RC4

[kbroom]

I don't know if this is entirely true. This attack is based on Vaudenay's attack to block ciphers using padding on CBC. There was a paper on Usenix '02 which showed that stream ciphers (like RC4) can also be vulnerable to a similar attacks under certain conditions, so I don't think is as easy as just changing algorithms.

For the paper look here

Re:flaw is easily avoidable; use RC4

[ajs]

[NOTE: This post assumes you use a UNIX or UNIX-like system and OpenSSH]

For those of you who are concerned that ssh may be vulnerable (I don't know... it probably won't matter unless you have an automatic process like rsync or fetchmail using ssh to re-connect over and over on a regular basis), you can use "arcfour" as the "Cipher" parameter in openssh. To force this, create a ".ssh/config" file in your home directory with these lines in it:

Ciphers arcfour
Protocol 2

arcfour is known to have security problems with protocol version one, so it's not supported there (or was not last I looked, but that was a Changelog entry from 20000509).

Good luck.

Re:flaw is easily avoidable; use RC4

[fv]

the attacker has to a be a man in the middle with capability to intercept and replace traffic. Outside the scope of a university campus network the possibility for such attack is becoming a very rare occurance

I wouldn't say that at all. DNS spoofing is sadly still feasible in many situations and easily gives you this capability. It is trivial if the attacker is on the same layer 2 network (insider attacks are extremely common, and so are outsiders who own one machine on the network and then leverage that for more.) Remember that the SSL certificate validation process won't protect you from this attack, since that part of the protocol is proxied through unmolested.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner

Re:flaw is easily avoidable; use RC4

[SuperFrink]

Indeed eithernet (even switched) is susceptible to a problem where a gratuitous arp is sent (from the bad guy's computer) that causes a machine (victim's computer) to think an IP address (eg the gateway) maps to an incorrect MAC address (the bad guy's NIC).

Last year a few friends got together and tested ettercap out (in a controlled environment) and sure enough it's trivial to snoop on a machine's traffic. :(

Re:flaw is easily avoidable; use RC4

[jovlinger]

ssh != ssl

Re:flaw is easily avoidable; use RC4

[ajs]

Yes, you are correct. ssh != ssl

However, OpenSSH uses OpenSSL to do its encryption. For this reason OpenSSH may (or may not) be vulnerable. Thus, you should probably take steps to prevent the attack even if it turns out that it was not possible to exploit the hole for OpenSSH.

That means you have to a) upgrade OpenSSL b) use a non-block cipher or c) check host keys manually.

Like I said, it probably will not matter unless you are using SSH to do something that happens often (like a cron-job that runs an ssh-based rsync every few minutes or fetchmail-IMAP-via-ssh) since the attack needs many data points in order to succede.

s/flow/flaw

[jpt.d]

(nt)

Re:s/flow/flaw

man i'm glad i'm not you

Gentoo has ebuilds already!

[punkball]

Hurray for Gentoo Linux!

Re:Gentoo has ebuilds already!

slackware-current has them also...

the rest of the world will have it minutes later.. not real biggie... not like microsoft issuing a patch for slammer and NOT EVEN USING IT THEMSELVES!!!!

morons...

It's a floor wax. No, it's a dessert topping.

[kfg]

Wait, your *both* right.

The flaw is in the protocol. OpenSSL has produce a security patch in *their implimentation* that protects the hole in the protocol, but the flaw in the protocol remains.

All other implimentations that have not been so patched remain vulnerable.

KFG

Re:It's a floor wax. No, it's a dessert topping.

[kju]

Ok, but then the slashdot article was some sensation laden journalism. It specificially said that the flaw is in "the SSL protocol itself [...] not [...] how we implement it". So this leads to the impression, that SSL is flawed by principle and could not be fixed without altering the protocol.

Obviously this is wrong. The OpenSSL developers were able to fix the problem WITHOUT breaking compability to other SSL implementations. So how can this be a problem with the protocol itself, if it can be fixed without actually altering the protocol?

This does not make real sense.

Re:It's a floor wax. No, it's a dessert topping.

[kfg]

Imagine that the fuel pump in your car breaks down. You need to get somewhere and don't have the parts to fix the fuel pump, but you do a good stock of odd stuff lying about. So you take a bottle, some hose, and a coat hanger, fill the bottle with gasoline, run the hose into it and hang the lot from your dome light, allowing gravity to feed fuel to the carb. (Yes, I've actally done this. It's a real world example).

Or, your boat has a hole in the hull, so you dive overboard, throw some canvas and underwater putty over it, and go on your way.

Your car and boat are still broken and require repairs of their fundamental structure, but, for the moment, can be considered as functioning normally.

One can kludge software in a like manner at times.

This is one of those times.

KFG

Re:It's a floor wax. No, it's a dessert topping.

[Tony-A]

Ok, but then the slashdot article was some sensation laden journalism.
Ok, so Slashdot doesn't pick on just Microsoft. ;-)
The protocol allows conforming implementations that allow leakage of information. That the protocol also allows conforming implementations that do not leak the information does not remove the flaw from the protocol.

Re:It's a floor wax. No, it's a dessert topping.

What the fuck does my car or boat has to do with SSL? Go back to homo analogy land. Fucking moron!

Flaw is in OpenSSL implementation, not protocol

[seifried]

As usual the slashdot editors have gotten it completely wrong. The flaw is NOT in the protocol. It is in the implementation. When checking CBC (Cyclic Block Chaining) packets for errors (i.e. the kind created by a man in the middle attack) two error checks are done. If the first one fails a reply is sent, if the first one passes and the second one fails the same error is sent, but of course it takes a bit longer then if the error had been triggered by the first error check. This allows an attacker to replay data from another users session against the server, creating errors, by knowing which of these errors occured they can mount an adaptive attack and home in on the data. This attack requires an attacker to be able to monitor data between a client and server, as well as establish a connection with the server.

The fix is pretty trivial, the second error check is done even if the first fails, thus removing any time based information (i.e. data takes about the same time to traverse both checks whether it fails the first or second one), thus denying the attacker the needed information. Fixed versions of OpenSSL have already been released. For more information please see OpenSSL Security Advisory [19 February 2003].

As a further note the BBC article is wrong, the quote "It is the first time we have noticed a security problem in the SSL protocol itself and not in how we use it or how we implement it" is either a misquote or flaw. If the flaw were in the protocol itself the solution would not consist of a 30 line patch to OpenSSL's error checks.

Re:Flaw is in OpenSSL implementation, not protocol

[jaspetry]

I hope people take your advice and actually read the OpenSSL Advisory, which does a fairly good job of explaining the problem and the fix. This is an implementation "flaw" only in the sense that the implementation failed to protect against a previously unknown timing attack. OpenSSL is almost certainly not the only implementation to get this wrong. Wonder how long it will be before someone finds this flaw in MS's CryptoAPI libraries?

Re:Flaw is in OpenSSL implementation, not protocol

if the flaw were in the protocol itself the solution would not consist of a 30 line patch to OpenSSL's error checks.

OpenSSL fixes the hole by deviating from the protocol. Also, the OpenSSL fix only fixes the server side, not the client side. If you connect to a server that uses an old implementation of OpenSSL, you are still vulnerable.

Crib attack?

You may be right, but I thought the article indicated that this is a crib attack. Because the username and password are sent many times in webmail systems (and because the attacker knows this) a crib sheet can be built up with every transaction. However, the article claims that credit systems and banks only authenticate once, so would not be vulnerable to this attack (I don't know if this is true).

Only affects IMAPS?

[mbogosian]

Apparantly the flow only affects webmail and not banking or credit card payments

Technically, the exploit was ideally suited to looking for password information in IMAP/SSL connections, since they are common and frequent. This does not mean the attack is limited to mail-related transactions.

Since most people's passwords are similar/the same for most of their online accounts, in theory, one could use a knowledge of traffic directed at certain sites under other circumstances originating from the same IP to do the same thing. It would take days/weeks instead of hours, but, since most people don't change their passwords that often, it's still conceivable.

This is much less likely to be feasible when it comes to ongoing sessions where the place of authentication is aribtrary (as it is with most e-commerce sites like Amazon and Ebay). However, some sites which use HTTP basic auth (since the username/password are in a well-known location) are now in danger.

What I'm really scared for is the security implication on the new web service protocols which do authentication in a regular, often and predictable way (much like IMAP used in the example), like XML-RPC, SOAP and REST. If SSL is compromised in situations like these, then we've just realized that we're a huge step backward in connection and integration from where we thought we were. At least, that is, until the protocol is fixed (if that's possible).

Re:Only affects IMAPS?

[mbogosian]

At least, that is, until the protocol is fixed (if that's possible).

I stand corrected, the implementation (OpenSSL) is fixed (OpenSSL 0.9.7a). I just hope that sysadmins are better at keeping their OpenSSLs up to date than they are at patching their IIS installations.... ;-)

Timing analysis is nothing new

This was already discussed at HAL 2001...

Re:Swiss Find Holes in Everything

[B3ryllium]

Hahah ... that one didn't occur to me until just now :) very funny :)

Re:Arg!!!!

Stop acting like a baby. If you read the article you would know that its already fixed in the lates version of the affected software.

"The Swiss researchers said they had passed on their findings to SSL's developers, who have closed the loophole in the latest version of the software."

AC said

"My god, it is hard enough to get people to fix things like SQL server or MSDE, "

Oh well, should have used a DB from a vendor who does a better job with patches and security. People are afrad of patching their critical SQL servers because MS sucks ass at patching. They have historically put out patches that either break of mame systems and the result of this is gunshy MS SQL admins.

RFC 2617 explains HTTP Basic Authentication

[yerricde]

Of course its insecure, they programmed their security in basic.

Those of us who wonder what the "basic" in HTTP's "basic authentication" really stands for should read RFC 2617.

Eeek

[IanBevan]

Apparantly the flow only affects webmail...

Oh no ! Now unauthorised crackers are going to be able to read all my spam ! They'll no doubt have the same problem as me trying to find solicited emails in there somewhere...

Re:Eeek

[sbeitzel]

Heh. If only it were the limit, then it'd be a nonissue. But what if the password on your webmail account allows the attacker to get shell access to that machine, and then exploit some local root hole? It's conceivable.

Not Webmail, IMAP over SSL

[jsong]

The exploit attacks the SSL protocol, and in the paper they explain the attack on IMAP over SSL.

People often use IMAP over SSL to avoid giving their email password to the whole Internet. Unfortunately, IMAP uses short, repeated messages, which makes it an ideal target for certain cypto attacks.

Honest question

I'm honestly confused here: Professor Serge says "It is the first time we have noticed a security problem in the SSL protocol itself and not in how we use it or how we implement it." But then later, the article says "The Swiss researchers said they had passed on their findings to SSL's developers, who have closed the loophole in the latest version of the software."

So, um, is the hole in the protocol or the software that uses the protocol? If it's in the protocol, what software did they fix, what fix did they implement, and how does that make a difference to all the other software that uses SSL?

More from OpenSSL changelog

[XenonOfArcticus]

*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078)

I interpret this to mean that all implementations of SSL, including OpenSSL, _could_ have this information leakage behaviour, depending on how they are implemented. OpenSSL did happen to have this behaviour, and has now been altered to take the same amount of time in either case, thus not giving the attacker any useful information.

A proposed solution

[laing]

The protocol should be revised to include specifications on error handling. If an attack of this nature is attempted, the server should at some point stop responding to the bogus packets.

Re:Shit...that's a good third post!

Perhaps you should go into marketing.

Shit...that's a good slogan!

Re:Spelling Natsi

Yeah, because God knows that editors shouldn't edit.

protocol is slightly flawed

[nestler]

The protocol RFC says that you should send different alert codes on the wire for the two different cases which is what this attack needs to work. So the protocol is flawed in the sense that following the RFC to the T makes you vulnerable.

However, it is not an unfixable problem (implementations can avoid the attack if they so choose) and it is certainly not as dire as the BBC article would make it out to be.

Re:protocol is slightly flawed

No, this attack is a TIMING attack which relies on the different amount of time it takes to check the two different cases.

Re:protocol is slightly flawed

[nestler]

No, this attack is a TIMING attack which relies on the different amount of time it takes to check the two different cases.

The whole point of the timing attack is to distinguish block errors from MAC errors. If the stack already tells you (through different alert codes) which one of those happened, you don't have to bother with a timing attack. Read RFC 2246 p. 26.

Re:protocol is slightly flawed

If you already have the key to decrypt the error code, then why not just decrypt the data in the first place?

Re:protocol is slightly flawed

[lazyl]

If the stack already tells you (through different alert codes) which one of those happened, you don't have to bother with a timing attack.

And if that was the case then why would they go through all work of determining the errors based on the timing? They're not idiots. It's because that's not the case. The errors are encrypted. The attacker can't read them.

Re:In other news...

The traffic is full duplex, don't worry.

Re:8==(,,,)==D ~* ~o ~O

So you actually bought into that penis extension spam?

Impact on SSH?

[XenonOfArcticus]

The article neither confirms not denies if this will impact the SSH protocol or its implementations. I expect it probably does not, but I recall last time I compiled SSH I think it required an SSL library. It probably only uses the crypto routines, and not the actual protocol code (which this leakage occurred in), but I wonder if any (Open)SSH experts can comment on this, and if any similar timing information leakage exploits might exist in the SSH protocols.

Re:Impact on SSH?

[baudbarf]

I wonder about this as well. If what I've been reading is accurate, and the info can be cracked by watching the same text repeatedly encrypted and sent over the network, then I would think SSH is affected.

Each login to the SSH server requires that you send your login name and password. Yeah, it isn't as frequent as an e-mail program checking every five minutes, but it isn't our place to judge how often is "often enough". A vulnerability is a vulnerability, so IMHO, if you're vulnerable at 12 times a minute, then you're vulnerable at 2 times a day.

I'd like to see the SSH implications addressed.

Re:Impact on SSH?

These kinds of issues were addressed for SSH long long ago.

Re:Impact on SSH?

[baudbarf]

These kinds of issues were addressed for SSH long long ago.

I appreciate your response, but with more than the due respect, would you please provide some information to back up your statement? I'm not very knowlegeable in this area - encryption is an incredibly complex field - but I /am/ concerned about the security of my communications.

Re:Impact on SSH?

[ak_hepcat]

If this turns out to be true (impacting SSH) then would using certificates instead of username/password alleviate the issue?

The keyspace is much larger with the certificate, although the underlying packet structure is probably going to be much more regular than trying to deal with an HTTPS session to some random site..

This could end up being pretty serious.

Webmail?

[korny69]

The attack deals with reoccuring data being sent between the client, man-in-the-middle, and the server. This deals with any data being sent many times across an SSL session and not just passwords, although passwords coming from a mail client such as Evolution, Outlook, Outlook Express, or whatever is a good example.

The description is a little misleading with the webmail and not cc info. If I sent my CC info across a SSL session many times, it would be just as bad as an email password.

Although, if I sent my CC info across any session more than once, I would be asking for it anyways.

Note: Gentoo and Entrust have already released updated packages for users to install. It will not be long until RedHat, SuSE, and others do as well.

Funny guy.

[apankrat]

Ok, non-anonymous SSL is immune to M-n-M attacks. Better ?

SSH not affected

[nestler]

This flaw is specific to the SSL protocol. OpenSSH only uses OpenSSL's crypto library, not its SSL stack. (Open)SSH should not be affected.

Re:SSH not affected

[XenonOfArcticus]

Thanks for clarifying that SSH only incorporates the crypto code from SSL, and does not use the affected protocol handling code.

However, is it known for sure that SSH does not suffer from a similar timing-based information leak in its own protocol handling code? I don't know, and I don't know if such an examination has been done (yet).

It is possible that SSH could be exposed to a similar attack if it were used regularly to initiate sessions. For example if you had an entry in crontab to SSH a job onto another machine at regular intervals, you might amass enough sessions to make you vulnerable to this sort of exploit, should one exist in SSH.

Let me be clear, I have no evidence that this is the case in SSH at all, but it seems like a good stimuli to review SSH to ensure it doesn't. Unfortunately, I'm not qualified to do so. Knowing the reputation of the OpenSSH crowd, if has not been done and could be a risk, it will be done.

Many eyes, shallow bugs.

ObMicrosoft: Anyone know if IIS's HTTPS implementation suffers from this weakness?

Definitely floor wax.

[cicadia]

The exploit is a timing attack; a side-channel attack against an actual implementation of the protocol, not the protocol itself.

Nearly every crypto protocol has 'flaws' such as this, and power-analysis 'flaws', and other sorts of issues which don't involve the protocol itself, but the fact that it has been implemented in a real-world device.

In nearly every case, once an attack like this becomes known, the response should be simply "so don't implement it like that anymore". The protocol itself doesn't actually change.

Great - I just bought the O'Reilly OpenSSL book

just an hour ago and it is obsolete already.
Way to piss away your money on computer texts.

Not vulnerable to MITM as you describe

[Brian+Hatch]

SSL is not immune to man in the middle attacks. Where did you get that?!? Any public key system is vulnerable during the first key exchange.

Bull pucky.

SSL is not vulnerable to a MITM during key exchange as you describe iff you are verifying certificates. HTTPS, as implemented in web browsers and other software that includes a list of trusted certificate authorities (CAs) does verify certificates. Not only that, but it requires that the common name (CN) match the host name, to prevent me (I have a cert for ssl.example.com) from interposing myself between a client and your server (www.some_domain.com) with my valid CA-signed ssl.example.com certificate.

Now if you use a client that does not support certificate verification, then yes, you are vulnerable to a MITM. For example when you use SSH and connect to a host for the first time and do not already have a copy of the host key stored on your machine (perhaps you got it on a floppy, loaded it from a web page, or some other method of getting it that you trust) then you must blindly say "Yes, I trust this fingerprint is correct." If you do this, then you may have been MITM'd, and you wouldn't know.

The best bet in this case is to check the actual server certificate once you log in and make sure that it matches the one you just accepted. You'd need to "cd /etc/ssh; cat ssh_host*.pub" and compare the output of the server keys to the one just entered into your ~/.ssh/known_hosts file. True, if you were MITM'd, then the cracker could be re-writing the keys you read from your cat command, but that's a pretty high bar for it to get over. (You might run 'less' or 'more', etc, so it's difficult for it to know when you're viewing the actual server key.)

So, in summation, if your use of SSL (or any public-key crypto) doesn't include certificate verification (or the appropriate analog), you are always vulnerable to a MITM attack. Major HTTPS implementations do not fall into this category.

Re:Not vulnerable to MITM as you describe

Hatch assumes the public has a brain!

Most of your statemnet is correct except that you forgot to mention that just because the browser verifys the certificat all the users sees is "some message" that they need to say YES to..

Also, there is NO requirement that the common mame match the host name if the match isn't there that's ok, all the user has to do is click this is OK... that's how IE and Netscape work (I personaly design secure soltuons for OpenWave Browsers and the like which are used for cell phones and then your statement would e correct the CN must match the hostname because you don't even get prompted to accept the certificate).

In other news: Bacon Good For You

[usurper_ii]

Bacon Good For You, Reports Best Scientist Ever

http://www.theonion.com/

ROCHESTER, MN--Bacon, long believed to contribute to heart disease and obesity, possesses significant health benefits, according to a study released Monday by Dr. Albert Gruber, the best scientist ever. "My research has found that three strips of crispy, mouthwatering bacon every morning can actually reduce cholesterol and help slow the aging process," the awesome Gruber said. "What's more, the bacon's positive effects are enhanced when combined with milk shakes and/or marijuana." In 1997, Gruber, a Mayo Clinic cardiologist, was awarded nine Nobel Prizes in Medicine for discovering that frequent oral sex with models cures cancer.

So what the man in the middle does

[roystgnr]

Is receives your public key, and sends his public key to the SSL server in it's place. He also receives the SSL server's public key, and sends his public key to you in it's place. He then decrypts every message you send to the server (which you will have encrypted using his public key, thinking it was the server's public key), reads it, and reencrypts the plaintext using the server's real public key before sending it on to the server.

Granted, this sort of attack can't be very easy unless he has total control of a router in between you and the server, but unless there's some out of channel way of verifying the private keys (web of trust or certifying authorities, for example) then this is at least theoretically possible.

Re:So what the man in the middle does

[redhat421]

This attack is mitigated by checking to make sure the CN matches, and verifing the SSL public key you get is signed by a CA that's in your trusted list. So if an attacker wanted to pull this off, he would need to sign the key with a CA thats in your browser (or get the user to click ok on a warning message).

Re:So what the man in the middle does

[dsb3]

> Granted, this sort of attack can't be very easy unless he has total control of a router in between you and the server ... or he can spoof a DNS reply and thus entice you open your connection to his MITM station in the first place.

Does this affect mod_ssl for Apache

[supun]

Just curious since no one has mentioned it?

Realization

[griffjon]

First cheese, now SSL. Do they have no limits? No qualms? What next? Innocent pastries??? ...Ohmigod... DONUTS. I feel sick.

Is nothing holey? er, I mean, holy?

Re:Realization

[antiprime]

As I type this, "life saver" mocks me from across the room. I never noticed this plot before, and I suppose there's a hole in that too. *fume*

yes, it does

[nestler]

Yes, because it affects OpenSSL (which is what both mod_ssl and ApacheSSL use for their SSL stacks).

You should upgrade your OpenSSL version to 0.9.6i or 0.9.7a. If that is not possible, disable all non-RC4 ciphersuites in the mod_ssl config.

Re:yes, it does

<sung to="some crap">
but not ISS
Ohh not ISS
ISS is secure
Apache is not!

Yes ISS is secure
and Apache is not!
</sung>

Differences Between Post and Article?

[RAMMS+EIN]

I have the feeling the assertions made by the original poster and the researhers are rather different. A few examples:
"Quoting Professor Serge Vaudenay from a BBC article the security problem is in 'the SSL protocol itself and not in how we use it or how we implement it.'"
This is different from what it says in the LASEC memo, which identifies a timing attack as necessary to distinguish MAC errors from PAD errors. This suggests that if random delays are added to the error messages, the vulnerability disappears. The article also mentions (obligatory?) that the hole has been fixed in OpenSSL 0.9.7a, which clearly means that the vulnerability is implementation-dependent.

"Apparantly the flow only affects webmail and not banking or credit card payments and took less than an hour (160 attempts) to crack."
The LASEC article does not mention webmail at all, it talks about MicroSoft Outlook connecting to an IMAP server as a convenient example of a situation where the attack is fairly easy to carry out. The point is that the information that is being sent is the same every time, so that multiple guesses can be made. Additionally, in the example, Outlook connects to the server and sends the password every 5 minutes, so that multiple guesses can be attemted in a reasonably limited time span. This means that an attack is feasable for services like email, where the same information is transmitted frequently, and harder for services where the frequency is lower, e.g. SSH sessions.

just my thoughts, I'm not a security expert - yet.

---
All generalizations are false.

This is not a new vulnerability

[apankrat]

The article in question merely extends previously announced Vaudenay attack against CBC-based symmetric ciphers.

Vaudenay algorithm is a Man-in-the-Middle type of an attack that relies on SSL error messages (invalid_pad and invalid_mac) to effeciently deduce message padding information and (somehow) use it to bruteforce the key.

The attack in current article merely fights the fact that certain SSL/TLS versions do not provide error feedback that is required by the Vaudenay algorithm. So, they measure server response time instead and use it to estimate how much of the message processing the server has performed prior to failing the exchange. This obviously provides a missing information to the Vaudenay algorithm so that it can function as designed.

SWISS CHeesE

[ksplatter]

The Swiss are all about Holes huh? First Swiss Cheese, Now This!

Did you know that they invented Donut Holes as well. No Actually a man names James Vindenhaffer broke into the Duncan Donuts research facility and went through all of the garbage. He first tried to glue all the Holes together to make new donuts but after being frustrasted with their odd shapes decided to leave a good thing untouched.

This is where Jamie BrickenHymer took over. After buying a holeless Donut from a Donut shop in Clevland Ohio he wondered where all the other Donut Holes went. Little did he know that he was being bugged by Micrsoft. 3 Days later Microsoft had the patent for the Donut Hole and sold the Rights to Dunkin Donuts for 43 Billion Dollars.

Re:SWISS CHeesE

Wouldn't our time be better spent searching for holes in female Swiss Researchers?

one word

workaround

Webmail?

[gmuslera]

The problem seems to be when you have a long session with the server, be webmail, imap over ssl or whatever that makes you be in ssl mode for a lot of time. If you are connected in ssl mode to a site where you be for an hour, and at last you buy something with your credit card, you credit card transaction will be vulnerable. Is not related to what travels, but for how long you are connected.

email...

[RAMMS+EIN]

The one service I can think of that this poses a serious threat to is email (especially POP3, IMAP could be secured by varying the length of the identifier, rendering the position of the password unpredictable), as it's one of the few services that send the password often. Well, it's not like email is in any way confidential; it's usually sent over unencrypted connections anyway. The real danger is in using the same password with multiple services, which opens up all those services once the password is obtained from any one of them.

I read all my email over an SSH link to the mail server, using the mail client installed there. This means I send my password over the net about once a week, namely only when I open a new SSH session. My /. pass is a different story, but that's a different password anyway.

---
Anyone who believes that corporate research can or should replace university research deserves to live in a world where this has taken place.

Never underestimate the stupidity of the public...

[Brian+Hatch]

Hatch assumes the public has a brain!

No, I never assume the public has a brain. Your comments are completely correct. However I was addressing a vulnerability in SSL and HTTPS in particular, rather than a vulnerability of the user sitting in front of their computer.

I've written many times about how blindly clicking "YES" is a great way to defeat your security. SSL is not a magic bullet, SSH MITM Attack "Challenge" writeup, and a good section in HLEv2 which is unfortunately not availble online. I'm sure you can find a few of my rants in the Stunnel mailing list archives as well.

Do I trust that users will possess a brain and use it? Hell no. But that wasn't the original question.

Re:That's all fine and good ...

Even if you got off your ass, you wouldn't be implementing mod_ssl, you would be making use of mod_ssl.

theyve done it!

[EpicSoul]

Wow, imagine a software error!! Curse those mindless programmers who didnt think of every detail! Honestly, its not a big deal, so people will have to be more careful with SSL... thats sure special... but that happens with what...nearly every program. People are too heavily relying on automation.

Compatibility without complete compliance

[IncohereD]

It's possible to not follow a protocol exactly without breaking compatibility. Basically all this is doing is returning the same error for two separate error conditions, rather than specifying the specific cause of the error.

This doesn't break compatibility because the cause of the error isn't important to the error recovery logic.

It would be like if there were different '404 not found' error types for no directory and no file errors in the HTTP standard. The protocol could specify returning the specific error, but if the server returned the same error for both, the user wouldn't really care. All they know is that the URL is bad, and they'll have to try another. Unless they're debugging the server they don't really care whether it was a file or a directory.

This SSL thing is similar. It would be important for debugging, but I can't see the user (even if the user is a piece of code) caring where the error was, as long as they know it's a transmission error.

Re:Compatibility without complete compliance

You're wrong.

The only information leaked to the attacker is the amount of time elapsed between sending the bogus packet and getting the error response. The attacker can't decrypt the error response without having the key. The ONLY change in OpenSSL is that it performs a redundant check so that the same amount of time will elapse in either case. This is 100% compatable with the spec.

Easy fix

[the9thbit]

The attack is based on the timming of an error. Simply throw in a random wait timmer on anything suspicious, ie errors and such.

There's a much bigger hole

[crosbie]

1) Create a spoof website that impersonates a login page of a eCommerce/eBank site of your choice.

2) Send a junk mail (to everyone - false hits don't matter) advertising a special offer or something to get people keen to click the URL to your spoof login.

3) 99% of punters will a) not look for the 's' on https, and b) not look for the weeny padlock icon.

4) Harvest the passwords, use 'em, and then scarper.

SSL is only secure if a) the user knows how to be sure that it's in use, and b) can trust their own PC.

Re:There's a much bigger hole

This is an exceptional point.

I mentioned something similar months ago - that there's a growing trend among banks and ecommerce sites (AMAZON.COM being one of them) to put the login on a non-secure site, and then POST to a secure site. I got roasted for not having "proof" (i.e. an article) that cited this hole...(if I had spoofed a quick article or reference, I would have been golden....)

Anyway.. the real hole here is that if you are accustomed to seeing the amazon.com page, and you know what it looks like, and it never was secure, you grow to trust it. If someone changes that "form post=" destination, then your password goes to an unknow destination. And that can be done as you suggested (with a spoofed page), or by a man-in-the-middle.

Sort of like a bank putting up an ATM in a location, with bank signs all over it.. then one day they remove the ATM, and a fradulent ATM company sets up a fake ATM in the same location to collect passwords.

Re:There's a much bigger hole

Yeah whatever. Amazon also keeps enough information in a non-SSL cookie so that you can order in "One Click". They obviously don't give a crap about fraud losses.

Re:There's a much bigger hole

[mlk]

This use to be very popular with AOL.
It has almost stopped now, but could be becouse I don't even open email in the AOL client anymore.

(yeah, I use AOL, it was cheaper than the alternatives, and it is one of a very small number that actually other 24/7 access, and mean it)

Upgrade

But if I upgrade OpenSSL. would I also have to recompile say ssh, mod_ssl, mozilla etc.?

Re:Upgrade

This depends on a number of factors:
one ssh etc using dynamicly or staticly linked Bins, if static YES, if dynamic ...

Is your OS a retarted pile of SHIT?
If yes, then VERY LIKLY, keeping binary compantablity between libs on RETARTED OSes (like ones which use ELF) is quite hard, your lib HAS to be the same size, if no

Then NO, your OS will load the lib as long as its not a major change which changes the public interface. Like say a JAVA based OS.

Giggle.

[Black+Parrot]

Q: Is it still okay to send my credit card number over SSL?

A: Yes, after last weekend everyone already knows your credit card number anyway, so don't worry about it.

I think that is wrong

[phr2]

The certificate just means that if the MITM changes anything in the data, he will induce errors and the SSL stack will notice them.

In the attack being discussed, the MITM is supposed to induce errors, and see how the other end reacts. The certificate doesn't prevent that.

What was that again?

[theCat]

I looked at "A Hole in SSL" and for some reason I could not free myself from reading that as a prOn reference, like the title to some cheap dirty movie.

I guess it's been a long week.

ACHTUNG:

RAMMS+EIN HATH SPOKEN.

---
Get a gay nick, and 6 months later, the band you got your gay nick from disappears to a hidden homo-hole! THAT IS YOUR WAY.

Don't click

[Xenographic]

We all know where any URL on slashdot with the word "goat" in it goes :[ I post this because I almost missed the ACs mentioning it and my karma is higher, so people should see this before they click.

OpenSSL bug; NSS not vulnerable

[madbrain]

FYI, Netscape fixed this bug in NSS in 1998. No Netscape or Sun SSL servers released since then have been vulnerable to the attack as a result.

This is merely a problem in OpenSSL, and it doesn't affect SSL in general.

Obvious?

[Steeltoe]

The proper way to solve stuff like timing seems to become totally paranoid about timing:

1) Randomize the message-queues: Some requests coming later will be processed sooner than others and vica versa.
2) Randomize the response time or guarantee a response time at a certain time (real-time systems).
3) Maybe even: Compute everything even in case of early failure. Have as few paths of execution as possible handling the request. (Makes it more difficult to intercept and analyse signals from the circuits etc)
4) And of course the system should never ever accept more than N failures, and start blocking out requests based on IP or other "reliable" identification.

Let's never forget there is never 100% security.

Re:Obvious?

[tdlewis]

> 2) Randomize the response time How about only randomizing the response time for error messages? > 3) Maybe even: Compute everything even in case of early failure That gives a boost to people waging denial of service attacks unless you also... > 4) And of course the system should never ever accept more than N failures

Re:Obvious?

[Steeltoe]

How about only randomizing the response time for error messages?

This might be adequate in some circumstances. In others, it might be devastating. It's okay, so long as the attacker can't drop the connection after a short timeout (she then knows there is an error after a specified time, and don't have to wait for a response), and reconnect with a fast loop. You really have to tailor it to the system. It's probably "safe", but required care.

That gives a boost to people waging denial of service attacks unless you also...

Agreed. That might be an issue to consider too for CPU-intensitive calculations. Good observation!

And of course the system should never ever accept more than N failures

Probably the most important feature to implement. And one must not allow concurrent connections in a backwards-way so that an atttacker can connect with 10000 connections, thus being allowed 9999 retries.

Security is really for the Paranoid with a Big 'P'. ;-)

Re:Obvious?

[tdlewis]

Security is really for the Paranoid with a Big 'P'. ;-)

It doesn't matter whether one is paranoid or not... they're still out to get you!

Re:Swiss Find Holes in Everything

[CFusion]

What's really fuckin funny about this is that the mods gave me a -1 and you a +1.... mine for rendundancy even tho it was posted 14 seconds BEFORE the other redundant post... hmmmm. me smells asshole.

Re:Swiss Find Holes in Everything

[CFusion]

What's even more fuckin funny is there are three posts AFTER mine which have at least 2 (some 5) + ratings for being FUNNY?! WTF happened to redundant you cocksuckers?

SSL 3.0 less vulnerable than TLS to this attack

[MisterSSL]

Good old SSL 3.0 is significantly less vulnerable to this attack than TLS, the IETF proposed standard version of SSL, a.k.a. SSL 3.1.

Although the recent Lasec paper http://lasecwww.epfl.ch/memo_ssl.shtml describes the attack as working on SSL and TLS, the full attack (which reveals an entire password) depends on a property of block cipher padding that is true of TLS but not true for SSL 3.0.

TLS requires that each byte of padding in the last block have the same value, and that the server must check that the values are correct. The attack depends on the attacker's ability to determine if the value of each byte in a block is or is not the proper padding value for the length of padding being attempted by the attacker. This is only possible if the server actually checks the padding byte values. Fot this attack to succeed, it is necessary and sufficient for the server to check the first and last bytes of padding in the block.

But unlike TLS, SSL 3.0 requires only that the last byte of padding have the defined value. All bytes of padding preceeding the last byte have undefined values, and can contain any values at all. Thus it is not possible for an SSL 3.0 server to test the value of any byte of padding other than the last one. SSL 3.0 servers only test the last byte, if they test any at all. Servers that do not test these bytes are not vulnerable.

Consequently, when this attack is applied to IMAPS over SSL 3.0, no byte but the last byte in any cipher block can be revealed. The value of the last byte can only be narrowed down to 1 of N possible values (where N is the number of bytes in the block, 8 for DES, 16 for AES), not to the exact value. That's bad enough that a cryptographer wouldn't ignore it, but it's probably good enough that an SSL 3.0 IMAPS user needn't be too worried about it.

Last Post!

[alpg]

Please try to limit the amount of "this room doesn't have any bazingas"
until you are told that those rooms are "punched out." Once punched out,
we have a right to complain about atrocities, missing bazingas, and such.
-- N. Meyrowitz

- this post brought to you by the Automated Last Post Generator...