Slashdot Mirror
Why One-time Passwords Suck For MITM Attacks
whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."
Alice and Bob's relationship will be at stake when an unknown interloper...Larry...arrives on the scene. Is this love line segment about to become a love triangle? Will the self-signed certs be accepted?
Coming to you this fall...Larry is...The Man in the Middle.
Obligatory blog plug: http://www.caseybanner.ca/
I am a FISH!
http://xkcd.com/177/
Eve
I know that there are some people that are very clever at doing these man in the middle attacks, but they usually happen in an academic setting as proof of concept.
Have there been documented cases of (successful) mitm attacks on banks or other high profile targets ?
MP3 Search Engine
( sung to the tune of Bobby Brown by Frank Zappa )
Hey, there, people I'm Vladimir Putin
Bush is a creep - I'm not just tootin
His car is fast, his teeth is shiney
He tells the coalition they can kiss his heinie
Here he is at a famous school
He's dressin sharp n he's
Actin cool
He's got his country there wants help with their paper
Let her do all the work while he covertly rapes her
Oh God he is the american dream
The rest of the world thinks he's too extreme
An he's a handsome sonofabitch
Got a political job n be real rich
(get a good
Get a good
Get a good
Get a good job)
Fake republican democracy
Came creepin across his nation
I tell you people it was more than an orgy
The U.S. Constitution was fucked by this guy named Georgie
He made a little speech then,
Aw, I tried to make him say when
I had his past in a vice, but I left the grades
There still in the records while his memory fades
Oh God he thinks he's the american dream
But now he smells like vaseline
An he's a miserable sonofabitch
He's a president AND criminal æ it's not just WHICH
(I wonder wonder
Wonder wonder)
So he went out n bought a leisure suit
He jingles his change, but he's still kinda cute
Got a job doin Republican shows
Basically, all my friends that's how he goes
Eventually George and a friend
Sorta drifted along into s&m
He can take about an hour with Cheney in the shower
Then discovers it pushes his ratings even lower.
Oh God he is the american dream
With a spindle up his butt till it makes him scream
He'll do anything that would make most people sick
He lays awake nights sayin Ãoethank you, Dick!Ã
Oh god, oh god, he's so fantastic!
Thanks to Cheney, he's a politcal spastic
And my name is Vladimir Putin
Watch me now, Im not just tootin,
And my name is Vladimir Putin
Watch me now, Im not tootin.
This isn't an attack on anything, really.
Here is what the article says:
"They will then go to all of the trusted CAâ(TM)s and try to get them to issue them a valid âoeinternal onlyâ certificate with the FQDN of a target sslvpn URL. As soon as they get a success, that company now becomes their target of choice. Remember, the certificate they need can be issued from any trusted CA in the browser and does not need to match the CA that the SSLVPN gateway is using."
Now, may be I am not understanding the purpose of SSL certificates and the PKI infrastructure in general, but I was under distinct impression that the whole reason those authorities exist is to verify who they give the certificate to, and in such a way that we, users, can trust these certificates.
If this is not correct, and anyone can with relatively minor effort get certificate for a random domain name from one of recognized cert. authorities - game over, none of this matters, the entire PKI infrastructure is in the crapper.
So, either we have to deal with cert. authorities signing things they should not or this is not an attack that is worth discussing. Everything else is a half-measure.
The guy was able to buy a certificate for Microsoft's login.live.com, from an undisclosed CA that's trusted by IE by default, because he checked a box saying it was only going to be used for internal use.
Please reveal the CA. They need to be shut down.
I may have missed something since I only skimmed the article, but it seems like configuring clients to use IPs instead of DNS names for your VPN server works around this. That may be a pain for you if you want to move to a new IP, but if your VPN server is behind a NATd firewall anyways, this isn't that much of a limitation...
A client cert, stored on the computer, should NOT be considered one factor in a two factor scheme, because the client computer is far too easy to compromise.
OTOH, it makes a good point that a client cert (OR, hell, just caching the server cert and complaining when it changes!) should be used because its too easy to social engineer a valid cert from a CA
Test your net with Netalyzr
... and then the execs need to be drawn and quartered.
Only partly joking. This is such a flaming case of massive malfeasance that impacts **SO** much more than your run-of-the-mill corruption and other shenanigans. As other posters have noted, this shadiness means certs like this are, in general, complete crap, and given the extent to which many very vital businesses conduct online operations on the basis of these certs, a simple slap on the hand -- or even forcing the CA out of business -- is far too limited a repercussion.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Thawte does this; look about halfway down the page
I must say that in general I have been unsatisfied with thawte. They gave me a hard time about re-issuing my cert after the debian-ssl debacle and in general their tech support people don't know anything beyond what is already on their site.
Seriously, I pay over a hundred clams a year just to so that I can have ssl communication without the "OMFG THIS SITE IS GONNA HAXOR YOU" dialog box pop up in user's browsers, and they pull all kinds of monkey business.
But since verisign owns them, I wouldn't hold my breath for them to be shut down. My guess is the other CAs do this, too.
weirdest thing I ever saw: scientology advertising on slashdot.
OTP can work effectively and does thwart MITM attacks if implemented properly. Using counter-based algorithms obviously is useless in my opinion but products based on time-based algorithms with effective end user policies are more than effective in doing the job. I'd like to see one person show me an attack public or otherwise that is able to counter an OTP that has a lifespan of 20 seconds and is implemented properly with account lockout policies. Add to that end-user certificates and you have extremely effective security. While there are several vendors with time-based OTP like RSA, Vasco, Identita, the OATH consortium is an open source vendor sposored forum that also has code for producing time-based OTP. See Oath @ http://www.openauthentication.org/
would make good fodder for an xkcd comic
perhaps someone already has the relevant comic to paste under your comment?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
My wife has shown something to me today that really has been bugging me for the entire day, she connected to her work via VPN with a security token, a number generator that is given to her that is synchronized against a server number list I suppose and when she ran a search on something she mistyped, our provider, Rogers Canada, was able to get the mistyped word and injected their own search frame into the HTML that returned to her browser.
Now, I am not sure how this happened, I was under the impression that VPN encrypts all requests and responses. Maybe the search string from the browser was sent out as clear text but this seems counterintuitive to me, I believed all communications on VPN channel are encrypted. I know that this article is not really about MIT attack, but I was wondering if anyone else had a similar experience with Rogers or any other provider or even if it sounds at all even remotely possible and I am missing some key point here.
I checked that her computer was only on one network card, the wireless was disabled, the VPN was on, it was a wired connection and the search was done through FF search bar aimed at Google.
Thanks.
You can't handle the truth.
Too bad that the new authenticators from blizzard are OTP's and people are convinced that it is 100% foolproof, as this article tends to prove otherwise.
I made a VPN server using IPCop and added the Zerina OpenVPN package to it. Simple plug and play. It has it's own internal certificate authority, and issues it's own client certificates for each road warrior client you set up to be an OpenVPN client under the Zerina webgui. Very secure, since it will only accept the client certificates that were generated locally to the machine. The cost for the software, is of course FREE. The old AMD Athlon 2400 Compaq PC upon which I'm running it, is worth maybe $200 tops, including the second NIC card I had to put into it to make it a true dual-homed Linux firewall. It supports 15-20 concurrent roadwarrior connections easily, then my single T-1 line is saturated long before the IPCop box reaches any significant load.
Can anyone verify what, if any, difference these "testing ony" certificates are?
Do they come up with the name "TESTING ONLY - Mozilla corporation", or it it more like the sub-root key is named "Strictly testing only", which requires you to inspect the certificate fully for every connection?
Fortunately we've used client-side certificates for our 2 factor authentication for years. Its cheaper than tokens, and easier too.
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
This is not about one time passwords, it's about misusing them.
And, while it is about poor practices issuing certs, it is more about the inherent weakness of trying to do it all with a single browser. And about the inherent weakness in using certificates issued by the public CAs.
With the current tools, requiring the client to have a cert, too, mitigates things a bit, but the client should never have been allowed to connect without a cert anyway, and neither the client nor the server should be using certificates issued by the public CAs for their VPN anyway. If you need security, you have to be willing to issue your own certs for day-to-day operations.
Secure connections need a dedicated browser that only connects to known IPs. And if the connection really needs to be secure, the client needs to be able to check the IP she is connecting to against two other servers' opinions of what the IP is.
Too much half-baked security stuff, people who seem to think that if half the security is good enough for them, all they have to do is implement half the spec.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I might be missing something here, but this article proposes, as a way of trying to make the management of keys/certs easier (which is necessary to implement the client-side certs), to use this "SecureAuth" system. . . which downloads an SSL cert to your computer. So. . . uhh, why can't an attacker intercept this? Well, the answer seems to be (maybe I'm misunderstanding here) that before the SecureAuth system will download the cert to you, it sends you some sort of one-time-password via phone or SMS, which you must enter to get the key . . . but once you've typed in this one time password you got by phone, what prevents the MITM from intercepting that passsword the exact same way it would have been attacking the other one-time-password generated by the keychain fob, and therefor be able to impersonate you to the SecureAuth server and get the client cert which should have been sent to you?
Sort of on-topic: I'd just like to say that recently I decided to code a Java app for Smartphones that is a token generator (MD5 of minutes since 1970 and known string appended) - it works pretty well. I'm sure all you bastards will find some flaws in it though.
Get your own free personal location tracker
In other news, padlocks prove ineffective at stopping muggings, and bank vaults useless in preventing armored car hijackings. Industry expert Joe Schmoe quoted as saying "padlocks and bank vaults are really just security theater, and have no place in a legitimate security system".
I needs more nerd schoolin'
Forgive my squirrelly ignorance, but is using an OTP even supposed to be a counter to a MITM attack? I that they were used so that there was no one password to be compromised, prevent "replay" attacks, that sort of thing...
OTPs are meant to help against eavesdropping.
Anybody who feels the need to point out that they don't protect against MITM hasn't been paying attention somewhere in Security 101.
Not all OTP's are prone to MITM attacks; the Yubikey for example has a (8hz) timer built in, initialized to a random value on connection. Next time a OTP gets generated the timestamp moves up too with a maximal difference of 10%. This timer prevents MITM attacks; without the use of a battery. Read more on their website.
I'm currently writing an authentication platform working with Yubico's demo and reprogrammed Yubikeys.
I'm not affiliated with Yubico, just a user of their product ; although I can tell this key has it done right!
They also seem to have a nice mindset allowing a large suite of usages with their product by focussing on the hardware only, leaving the software with 3rd party developers.
Oh, and did I mention it was open source?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
<nazism type="grammar">
The headline says "IT: Why One-time Passwords Suck For MITM Attacks", and the body says "
This article walks you through how using certificates, instead of OTP tokens [...] can increase the security of your SSL VPN [...]."
I'm "huh?", right now. If use of OTPs is the MITM problem and certificates is the solution, then surely OTPs are good for MITM attacks, in that they make them easier to execute and are well-liked by the perpetrators, while certificates are bad for MITM attacks.
(Oh, and OTPs are bad because of the MITM they are good for).
</nazism>
From the article: ...he didn't disclose the CA that issued it to him but it was one that was trusted in IE by default.
Hey, let's blame the SSL, and not the retarded cert authority.
You are not obliged to use their authentication server. As a matter of fact, I'm writing my own (distributed) authentication platform for that one reason.
You don't have to use their server to be authenticated; as long as you keep the counters and timers synchronized with your own database.
Since the Yubikey is open-source, you could decrypt the key in no-time without even needing a remote connection to anywhere.
Whenever using a keyfob, yubikey or rsa one time pad; you will always have to store your variables for the next generation; Yubico's server is more of a demo working with pre-programmed keys; although; these keys do have one major drawback: I hope there will never be a virus disabling all these Yubikeys all together just because they have NO PIN CODE pre-programmed and these devices are reprogrammable by the use of ActiveX.
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..