Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swiss Researchers Find A Hole In SSL

Posted by timothy on from the there's-holes-in-everything-over-there dept.

in4mation writes "The folks at LASEC have found a flaw in the SSL protocol. Quoting Professor Serge Vaudenay from a BBC article the security problem is in 'the SSL protocol itself and not in how we use it or how we implement it.' Apparently the flow only affects webmail and not banking or credit card payments and took less than an hour (160 attempts) to crack." Update: 02/20 20:52 GMT by T : Kurt Seifried writes to say that this is almost exactly wrong: "The flaw is in IMPLEMENTATION, NOT THE PROTOCOL. Due to the way error checks are handled an attacker can find out which error condition occurred by measuring the response. The solution is trivial, a path that forces OpenSSL to do the second check even if the first one fails, thus denying the remote attacker any information as to which exact error condition occurred." He includes a link to the security advisory at openssl.org. Update: 02/20 21:49 GMT by T : Read on below for some more information from SSL 3.0 designer Paul Kocher.

Kocher, President & Chief Scientist of Cryptography Research, Inc., writes:

The referenced paper (http://lasecwww.epfl.ch/memo_ssl.shtml) describes how timing variations in SSL/TLS implementations can be used in certain situations to slowly gather information about encrypted data. If the certain conditions are met, the attacker can decrypt some information from the message (e.g., a password). Strictly speaking, the fact that implementations reveal sensitive information in timing channels is an implementation issue, not a flaw in the underlying cryptographic protocol. This doesn't make the issue unimportant, however, and timing attacks are big deal for implementers because they are easy to introduce, notoriously tricky to detect, and often difficult to eliminate.

Answers to general questions:

1. Is it still okay to send my credit card number over SSL? Yes. This attack is not applicable to web shopping and there are much easier ways that fraudsters steal credit card information (e.g., breaking into merchants' web sites -- a problem that SSL can't solve). In any case, the bank is generally responsible if someone steals your card info.

2. Is the paper "real" or another bogus "I broke SSL" claim? The paper is legit. The Slashdot announcement suggests that SSL itself is broken, however, which is a bit misleading.

2. Is this a practical attack to exploit? Cryptographers need to be paranoid about unexpected situations. As a result, attacks can be important even if they are not practical to exploit under real- world conditions. The attack described in this paper is similar; while there are quite a few preconditions for mounting the attack, this does not make the research unimportant or mean that people should ignore the work. Specific requirements to mount the attack include:

  • The session has to use CBC mode. The vast majority of SSL connections use RC4, for which the attack is not applicable. Because of the algorithm negotiation used in SSL/TLS is secured in the initial handshake, man-in-the- middle attackers should not be able affect the outcome of the algorithm selection process.

  • The attacker has to act as an active man-in-the-middle attacker. Passive eavesdropping is not sufficient.
  • The server's SSL implementation has to be vulnerable (see #3 below). The protocol also has to be oblivious to repeated failures.

  • The target protocol also has to have some very specific characteristics that allow the adversary to form the right kinds of messages. For most uses of SSL (e.g., normal web browsing), this type of attack does not generally apply.

3. Can affected implementations be fixed? Yes. OpenSSL has been updated (http://www.openssl.org/news/secadv_20030219.txt). For more information, also see http://www.openssl.org/~bodo/tls-cbc.txt. I don't know what other vendors/projects are doing.

4. Is this an issue for the client or the server? Normally, this would only be an issue for the "server" (i.e., the party that receives the connection request), since normal SSL clients don't automatically large numbers of connections.

A couple of final comments:

I'm constantly amazed by the number of ways that it's possible to screw up security. Overall, SSL 3.0 seems to have aged well, but I wish I'd done a better job of handling errors in the design. In particular, error handling was involved in both of the attacks against SSL that I consider non-obvious, notably Bleichenbacher's attack and CBC-padding attacks such as this one. While these types of attacks weren't known when I was designing SSL 3.0, I generally wish I'd provided less information in error messages.

Finally, I also want to give thanks everyone who has helped to study SSL's security, contributed to implementations, and helped shepherd it through the standards processes."

22 of 231 comments (clear)

  1. Less than an hour huh?? by Anonymous Coward · · Score: 1, Funny

    So if i have 60 machines working on it I'll be through in less than a minute??

  2. SSL mail by Anonymous Coward · · Score: 1, Funny

    how many of you actually use webmail? be cool and use good ol' command line mail!!!

    1. Re:SSL mail by scovetta · · Score: 3, Funny

      My college required students to telnet into their vax machine to retrieve mail up until about 4 years ago, when they trashed everything and went to novell webmail.

      I figure this flaw won't affect them till maybe 2015 when they decide that IMAP might be the way to go.

      (shrug)

      --
      Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
  3. Ugh... by Anonvmous+Coward · · Score: 5, Funny

    "Swiss Researchers Find A Hole In SSL"

    Isn't that their style?

    Yeah, I know, that joke was cheesey.

    1. Re:Ugh... by Dr+Caleb · · Score: 2, Funny
      "Swiss Researchers Find A Hole In SSL"

      Did anyone else read that as "Swiss Researchers Find A-Hole In SSL" and think, "How did he get there?"

      --
      "History doesn't repeat itself, but it does rhyme." Mark Twain
    2. Re:Ugh... by frenetic3 · · Score: 2, Funny
      Did anyone else read that as "Swiss Researchers Find A-Hole In SSL" and think, "How did he get there?"
      No. No, man. Shit, no. I believe you get your ass kicked saying something like that. :P

      -fren
      --
      "Where are we going, and why am I in this handbasket?"
  4. The Swiss by bytesmythe · · Score: 5, Funny

    Those damn army knives have a tool for everything nowadays...

    --
    bytesmythe
    Hypocrisy is the resin that holds the plywood of society together.
    -- Scott Meyer
  5. joke? by Anonymous Coward · · Score: 1, Funny

    Speaking of holes... If Iraq enters Turkey from the rear, will Greece help?

  6. BASIC? by sharph · · Score: 2, Funny
    An SSL-enhanced browser such as Internet Explorer or Netscape Navigator uses encryption to scramble the data you send to a web site into an unintelligible string of seemingly random characters. A typical transaction is a browser sending the contents of an order form to the server, checking emails on an IMAP server, using BASIC authentication to access a password protected part of a website, etc. Let's look at an example showing the difference between unsecure and secure transactions:
    Of course its insecure, they programmed their security in basic. (I'm smarter than this. It's a joke... Laugh.)
  7. But what if I'm a repetitive compulsive buyer? by djeez · · Score: 5, Funny

    I don't know, maybe I'm going to buy 160 different items, one at a time, each time sending my credit card number.

    1. Re:But what if I'm a repetitive compulsive buyer? by T-Daddy · · Score: 2, Funny

      Me I'm just impatient and I keep clicking that submit button until something happens.

    2. Re:But what if I'm a repetitive compulsive buyer? by Some+Dumbass... · · Score: 2, Funny

      I don't know, maybe I'm going to buy 160 different items, one at a time, each time sending my credit card number.

      That's why eBay is still in business...

  8. Uh oh... by fritter · · Score: 1, Funny

    But the researchers say the loophole does not apply to credit card transactions, as banks and e-commerce sites use a different type of SSL (Secure Sockets Layer) technology.

    Then after imploring those present to "kiss the rings", they emphasized that using your credit card was still entirely safe, and sped off in their newly purchased Mercedes-Benz M-Class SUVs.

  9. An Hour... by RyansPrivates · · Score: 2, Funny

    Yeah, but who's got an hour to spare these days...

    --
    If at first you don't succeed... How does that go again? Ah, forget it.
  10. Phew! by LongJohnStewartMill · · Score: 3, Funny

    Thank god I'm using Telnet!

  11. holy fuck! by Mourgos · · Score: 0, Funny

    That's what I screamed while cold sweat was dripping down my face.... and then I continued reading and saw that it still is safe to use my credit card. Hmm.... yeah I see how 'hackers' will go for my e-mail password first.

  12. Eeek by IanBevan · · Score: 2, Funny

    Apparantly the flow only affects webmail...

    Oh no ! Now unauthorised crackers are going to be able to read all my spam ! They'll no doubt have the same problem as me trying to find solicited emails in there somewhere...
    --
    Never, ever lose a file again. Ever.
  13. Re:OpenSSL new version has fix already by Anonymous Coward · · Score: 1, Funny

    > Does anybody know HOW this countermeasure works?

    Presumably the countermeasure was created by a human, so the answer to your question would be yes.

  14. Re:Heise and OpenSSL developers tells the opposite by Anonymous Coward · · Score: 3, Funny

    > Coincidentally, Gentoo Linux already has
    > an ebuild for OpenSSL 0.9.6i [gentoo.org].

    And in a few weeks when Gentoo is done compiling you'll be able to use it!

  15. SWISS CHeesE by ksplatter · · Score: 4, Funny

    The Swiss are all about Holes huh? First Swiss Cheese, Now This!

    Did you know that they invented Donut Holes as well. No Actually a man names James Vindenhaffer broke into the Duncan Donuts research facility and went through all of the garbage. He first tried to glue all the Holes together to make new donuts but after being frustrasted with their odd shapes decided to leave a good thing untouched.

    This is where Jamie BrickenHymer took over. After buying a holeless Donut from a Donut shop in Clevland Ohio he wondered where all the other Donut Holes went. Little did he know that he was being bugged by Micrsoft. 3 Days later Microsoft had the patent for the Donut Hole and sold the Rights to Dunkin Donuts for 43 Billion Dollars.

  16. Re:Huh? We must not have read the same article... by Anonymous Coward · · Score: 1, Funny

    yeah, outlook is a super poor product, yet everyone loves it.

    "i have some stupid method for renaming my address books so viruses cant get it"

    i have a better method, DUMP outlook, you know its garbage, its feature poor and prone to horrible problems, i have a car for you, its called a yugo

  17. Giggle. by Black+Parrot · · Score: 4, Funny


    Q: Is it still okay to send my credit card number over SSL?

    A: Yes, after last weekend everyone already knows your credit card number anyway, so don't worry about it.

    --
    Sheesh, evil *and* a jerk. -- Jade