Man-In-the-Middle Vulnerability For SSL and TLS

imbaczek writes "The SSL 3.0+ and TLS 1.0+ protocols are vulnerable to a set of related attacks which allow a man-in-the-middle (MITM) operating at or below the TCP layer to inject a chosen plaintext prefix into the encrypted data stream, often without detection by either end of the connection. This is possible because an 'authentication gap' exists during the renegotiation process, at which the MitM may splice together disparate TLS connections in a completely standards-compliant way. This represents a serious security defect for many or all protocols which run on top of TLS, including HTTPS."

We need to invest in Quantum Physics.

[jellomizer]

Only with quantum physics can we actually get a secure data transfer. Or not or both.

Re:We need to invest in Quantum Physics.

[PiSkyHi]

Come on moderators, its a joke - Yes, I realise its both funny and not funny at the same time.

Re:We need to invest in Quantum Physics.

[L4t3r4lu5]

Unfortunately, that's incorrect. By hearing (reading) the joke, you have observed its state. This has destroyed the alternative quantum state of the joke.

What will really irritate quantum physicists in this instance is that, unfortunately, the joke is both funny and unfunny at the same time. The state of the joke relies upon the opinion of the observer, not any quantum juxtaposition.

In fact, I'm not so sure this is related to quantum phy... Oh.

Re:We need to invest in Quantum Physics.

[mcgrew]

Damn you, Quantum Physics!!

Re:We need to invest in Quantum Physics.

[Jurily]

We know it's funny, we just don't know exactly how funny it is.

Re:We need to invest in Quantum Physics.

[93+Escort+Wagon]

Come on moderators, its a joke - Yes, I realise its both funny and not funny at the same time.

Before reading it, I thought your post might be funny. But my twin brother saw it first and didn't find it funny, which determined my state.

Re:We need to invest in Quantum Physics.

[jbezorg]

I died laughing when someone opened the box.

Re:We need to invest in Quantum Physics.

[Hurricane78]

It has destroyed the alternative states, yes. But it has created a separate universe for everybody!

So now we all run our very own instances of the universe.

Who am I telling this... you could just be imaginations of my mind... and if not, you are now in MY universe anyway! :D

Re:We need to invest in Quantum Physics.

[johny42]

http://xkcd.com/45/

Re:We need to invest in Quantum Physics.

[OldSoldier]

Funny... but as I understand it... one mode of QM communications only allows for 100% detection of an intercepted communication, not specifically unbreakable ciphers.

Re:We need to invest in Quantum Physics.

[L4t3r4lu5]

So now we all run our very own instances of the universe.

You've shifted into philosophy, my friend.

Solipsism

Re:We need to invest in Quantum Physics.

[L4t3r4lu5]

Investing in your future Rolls Royce Phantom and Sandbanks apartment, are we?

Re:We need to invest in Quantum Physics.

[Interoperable]

Ha ha, more like Ramen noodles and rent money.

Re:We need to invest in Quantum Physics.

[GrpA]

The funniest part of your post is the (Score:0, Funny)

GrpA

oh joy

[LoneWlf]

More cyber terror :)

Re:oh joy

[toleraen]

If the only place the exploiters were getting their info from was Slashdot, this world would be a much more secure place, and the attacks that did make it through would have more ponies.

Re:oh joy

[Albanach]

Millions of potential exploiters didn't know about it, until now.

Millions of ordinary people didn't know there was a vulnerability until now. Who knows how many bad guys knew already though?

Knowing of a potential vulnerability allows people to alter their behaviour if they deem that an appropriate response. Systems administrators can examine setups to see if they can use other methods to secure communications and it also allows all those who have written applications to examine their code.

I'd rather know of a vulnerability and respond, than not know while others are potentially exploiting it.

Re:oh joy

[think_nix]

I wouldn't be so sure on that, anyone can read a mail-listing Ill quote this from Marsh Ray on the ietf mail list:

I can confirm the severity of the TLS MITM bug. I've had a working
exploit going since the end of August.

Steve Dispensa and myself put together (with help of many of course) an
industry working group to address it. I think we were successful in
producing a preliminary fix, which vendors are in various stages of
testing and deployment.

We'd agreed to responsibly delay disclosure to give the industry time to
coordinate the fix.

Re:oh joy

[isama]

trojan unicorns.

Re:oh joy

[ThatsNotPudding]

Who knows how many bad guys knew already though?

If by Bad Guys, you mean Governments; probably damn near all of them, quietly building up a vast, J Edgar Hoover-style database for both blackmail and 'The Usual Suspects' showtrial roundups.

Re:oh joy

[sheph]

Security isn't accomplished by silence. The bad guys have known about this for a long time. Kind of hard for average people to protect themselves when the risk isn't made public. At the end of the day not much has changed. If you want a computer that is secure unplug it and lock it in a vault. Otherwise, expect that everyone on the Internet can see the information you keep on it.

Re:oh joy

[evilviper]

Who knows how many bad guys knew already though?

It doesn't matter how many may have known. What matters is if it was ever used. And once it is, it doesn't take too long to track down where the hole in the security system is...

Re:oh joy

[jamesh]

Millions of ordinary people didn't know there was a vulnerability until now.

Dear Ordinary Person,

As you may have heard in the media, there has been an exploit discovered in the security protocols used in the banking sector. As such, we require you to log on and reset your password. Please click on this link and enter your security details there. Please ignore any certificate warnings that you might see, they are unavoidable while we implement a more secure protocol.

Sorry for the inconvenience

Bad Guy^H^H^H^H^H^H^H Yourbank

web developers

[chrisranjana.com]

So are these man in middle exploits fixed in the latest Ubuntu release ?

Re:web developers

[bbernard]

"So are these man in middle exploits fixed in the latest Ubuntu release ?"

No, they've just changed the name to "koala in the middle" exploits.

We need

[jav1231]

We need someone who can eliminate these middle men! Where's Tom Shane on this??

Re:We need

[FauxPasIII]

In Antwerp, I would think.

This is news? Come on!

Anyone who knows anything about TLS/SSL knows that MitM attacks are always the biggest risk.

Heck, appliances like the IronPort devices use exactly that to inspect user traffic.

Its a quantum man in the middle attack

[Viol8]

Its the same man in all 3 places.

Re:Its a quantum man in the middle attack

[jonaskoelker]

Just like DRM, then? ;-)

Dissabling SSL re-negotiation?

[AbbeyRoad]

Am OpenSSL patch (http://www.links.org/files/no-renegotiation-2.patch) disables SSL
renegotiation, closing the security hole.

But let me ask this : who would ever require SSL renegotiation in practice?

I mean seriously -- changing the cipher in the middle of an SSL session??
  -- no mainstream scenario would ever do this.

A question comes to mind why renegotiation was ever supported in the first place.

The next question is what OTHER seldom-used "features" are supported by
most SSL implementations that are just supported so that the implementation
can claim full RFC compliance, but are never actually used by real web sites.

My own SSL builds disable everything except RC4-*-RSA

Re:Dissabling SSL re-negotiation?

[dopodot]

It's more than changing the cipher type, it's also negotiating up from anonymous client to verified client. The second situation occurs ALL THE TIME in web services that require different levels of trust for different content within the same site. So it's not a "seldom-used" feature in the least.

Re:Dissabling SSL re-negotiation?

[John+Hasler]

> The second situation occurs ALL THE TIME in web services that require
> different levels of trust for different content within the same site.

Don't do that.

Re:Dissabling SSL re-negotiation?

"But let me ask this : who would ever require SSL renegotiation in practice?"

from,

http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html

SSL renegotiation is useful in the following situations, once you have established an ordinary SSL session:

        * When you require client authentication
        * When you are using a different set of encryption and decryption keys
        * When you are using a different set of encryption and hashing algorithms

The last two are kind of useless in practice. The first one is very useful to authenticate the client. Actually, if this is the only way to verify client cert, then SSL renegotiation is vital part of SSL.

Re:Dissabling SSL re-negotiation?

[ArsenneLupin]

But let me ask this : who would ever require SSL renegotiation in practice?

I mean seriously -- changing the cipher in the middle of an SSL session?? -- no mainstream scenario would ever do this.

A question comes to mind why renegotiation was ever supported in the first place.

Client certificates need this.

Re:Dissabling SSL re-negotiation?

No, SSL client auth works just fine w/o renegotiates. Only some scenarios (client auth only for some resources on the site) or implementations (a webserver made in the american north-west) use renegotiates.

Re:Dissabling SSL re-negotiation?

[cananian]

RC4? Really?! Dude, that's totally broken -- see http://en.wikipedia.org/wiki/RC4#Security and especially http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_Shamir_attack . Ron Rivest makes lots of good stuff, but all of "Ron's Codes" have been broken. (Except maybe RC6, but the AES committee determined that Rijndael was better than it.) Classic example of amateur cryptography actually resulting in a system that is *weaker* than the alternative. Le sigh.

Re:Dissabling SSL re-negotiation?

Umm, you want to rotate your block ciphers on long-running connections. Saying this isn't useful in practice implies that you must reset connections and recover at the application level instead, or risk using the same block ciphers for too long.

Re:Dissabling SSL re-negotiation?

[Jah-Wren+Ryel]

Umm, you want to rotate your block ciphers on long-running connections. Saying this isn't useful in practice implies that you must reset connections and recover at the application level instead, or risk using the same block ciphers for too long.

Exactly. I was going to say the same myself.

Re:Dissabling SSL re-negotiation?

[EelBait]

You can also use renegotiation to derive new keys after X amount of data has passed. This would be for long running connections.

Use PGP/GNUPG auth

[elucido]

Maybe its time we stop using SSL and just use GNUPG Auth. Let the user generate their own key and be responsible for their own security, or lets just use smart card readers. We make impossible to secure our machines due to our institutional insecurity. This way we can use it as an excuse to blame terrorists and get the feds involved.

Why aren't smart cards the norm? Why are we using passwords at all?

Re:Use PGP/GNUPG auth

[croftj]

SSL at least in the context of web browser is not only to secure our communication, but authenticate that the web site is the web site we really want to be at.

Re:Use PGP/GNUPG auth

[schon]

Let the user [...] be responsible for their own security

Yes, because as all of the botnets have shown, that works so well in practice.

Re:Use PGP/GNUPG auth

[Cthefuture]

Note that using a smartcard in this case would not help you. Smartcards provide a protected place to put your keys and do "private" stuff (like signing) but all the same protocols are usually used on top of that (including SSL/TLS).

I doubt GNUPG Auth is without fault itself. It's really hard to do security and crypto stuff correctly. Really, really hard as even the best mathematicians, theorists and developers in the world get caught out all the time.

Re:Use PGP/GNUPG auth

[mindstrm]

They are even more closely tied together than that.

Without authentication, encryption (in this context) does not provide any security at all.

Re:Use PGP/GNUPG auth

[the_womble]

That will not happen, because there is no money in it. Tunnelling over ssh has the same problem.

Re:Use PGP/GNUPG auth

[DragonWriter]

SSL at least in the context of web browser is not only to secure our communication, but authenticate that the web site is the web site we really want to be at.

SSL/TLS, used properly, doesn't just authenticate one end of the connection.

Of course, SSL/TLS is usually not used properly.

Re:Use PGP/GNUPG auth

[Lord+Ender]

You are clearly confused. This is about a flaw in the SSL protocol, not a flaw in X.509/PKI. The only real difference between PGP and X.509/PKI is in key management. Using PGP's extremely expensive, time-consuming, and error-prone key distribution method is the reason PGP is going extinct. Your grandma will never go to a key-signing party.

Another thing you are confused about: smart cards? What? What do they have to do with anything? Smart cards typically use X.509, not PGP. And in this case, smart cards would make things less secure than, say, passwords.

It sounds like you took a bunch of random crypto words and strung them together. Are you a bot? If you're not sure, go try some CAPTCHAs and see how you do.

Re:Use PGP/GNUPG auth

[Hurricane78]

Because you haven't understood security at all!

Smartcards still need a password, or they are no more secure than a fingerprint (cut off the finger) or a credit card (buy something immediately after stealing it).

Passwords alone of course a also not great. But at least nobody can steal a password that is stored only in your mind.

Re:Use PGP/GNUPG auth

[brantondaveperson]

...But at least nobody can steal a password that is stored only in your mind.

They can if they use the $5 wrench decryption method...

Re:Use PGP/GNUPG auth

[elucido]

When have we given the user the choice to have an operating system not vulnerable to botnets? They don't get a choice. And let's be realistic, botnets are offtopic.

Re:Use PGP/GNUPG auth

[elucido]

How would a smartcard ever be less secure than a password?

The problem is SSL. Did you do your research as to what GNUPG auth is? Sure it does not replace all the functions of SSL, but SSL if it's this broken isnt really much better. I think there should be an alternative to SSL so that SSL actually has reason to improve. If you only offer one crypto protocol and one set of options then what do you expect?

Re:Use PGP/GNUPG auth

[elucido]

Who is they? The mafia?

If they are in position to torture you, whatever secrets you have is probably not worth more than your life.

Re:Use PGP/GNUPG auth

[bratgitarre]

In TSL's RSA mode the user is actually generating the session key, and in the Diffie-Hellman modes s/he generates at least half of it.

Re:This is news? Come on!

It's news in the sense that TLS provides an authentication mechanism specifically designed against this kind of attack.

The false belief of security through obscurity.

[elucido]

If somebody is sufficiently motivated, has lots of free time, and has the knowledge, you can be sure they'd learn about this exploit before slashdot or the mainstream media. You can be sure they'd probably learn about it the moment the first researchers learn about it and sell the information, or brag about what they discovered behind closed doors. Lets get real, most people can't keep a secret and that includes the people who discover the exploits, and while it might not be on slashdot, the sort of people who would use this exploit probably don't look on slashdot to find the latest exploits.

No... the criminals can bribe or pay some masters or phd level researcher to sell them the source code in some instances or they can just listen and wait for them to brag to their friends on IRC "hey look I just discovered a bug in SSL!"

We should eliminate SSL completely, and the password based security methodology. Credit cards are no more secure using a password over SSL than they are if you use credit cards over the phone than they are if you just hand someone your credit card and hope they can't remember what they see.

Re:The false belief of security through obscurity.

[sexconker]

Uh. Password-based security is the only one that works.

Here's how security works:

Hi I'm Slashdot Bob.
Prove it.

Ah yes, the authentication piece - the secret that only you and I know. (inaudible whispering)

Ok, you're Slashdot Bob. What do you need?
I need access to Jill.

Hmmm, nope. You don't have access.
Fuck!

Hmmm, nope. You don't have access to that either.

All of our security EVER relies on maintaining a list of who has access to what, and ensuring people are who they claim to be. This can ONLY be done with secret information. A password is the closest we have to that. All physical dongles and devices can be stolen. All biometric data can be scanned and spoofed. They aren't yet able to read your mind. The fact that people forget their passwords, write them down, pass them out, or have shitty ones is their own fault.

Re:The false belief of security through obscurity.

[AnyoneEB]

No, the user may authenticate locally (that is, within a trusted system) with a password, but a password should never be sent over the internet, even encrypted (maybe hashed with a challenge, but not just encrypted). You use public key encryption or even a zero-knowledge proof. There does need to be a secret that the client uses to authenticate itself, but transmitting the secret, even encrypted, is a horrible idea for security as it completely falls apart as soon as there is even the slightly flaw in the encryption or server authentication.

Having the server know the password at all is a bad idea, too (bad things happen when the user uses the same password for multiple services), but it is a bit harder to avoid as, in general, the user needs a way to log in from any computer and having a file or dongle required is bad (one solution is to use a hash of the user-entered password and the domain as the password, which is basically what digest auth does).

Re:The false belief of security through obscurity.

[sexconker]

All forms of authentication rely on the two parties, and only the two parties, knowing a piece of information.

There is no getting around that. Public key encryption does not. Whatever wikipedia link you provide does not.

All encryption is the same. You both need to know the decryption key. Which is why SSL and TLS fail. Which is why everything ever will fail.

Man in the middle attacks will ALWAYS be viable.
It ALWAYS boils down to a key sharing problem and an initial authentication problem. You can set up your online account in person in a locked vault and it would still have the same fucking issues.

Of course it's dumb to send a password in plaintext. Anyone could be listening. Of course it's dumb to do what SSL and TLS do - anyone could be listening. Of course it's dumb to tell someone a secret in a park - anyone could be listening.

The only thing anyone will ever achieve in regards to security is greater obfuscation and hassle for potential baddies AND for the two intended parties.

Re:The false belief of security through obscurity.

[Dragonslicer]

Ah yes, the authentication piece - the secret that only you and I know. (inaudible whispering)

The secret that only the two of you know, until I get my high-sensitivity microphone into the room. Any non-trivial sharing must go through a medium that allows interception by third parties.

And of course, never underestimate the password-obtaining ability of a $5 wrench.

Re:The false belief of security through obscurity.

[sexconker]

Of course.

Re:The false belief of security through obscurity.

[AnyoneEB]

All forms of authentication rely on the two parties, and only the two parties, knowing a piece of information. There is no getting around that. Public key encryption does not. Whatever wikipedia link you provide does not.

There seems to be some confusion here on what I was claiming. At some point the server needs to know some piece of information to use to positively identify the client. If this is a password, then the server has to know that the password it gets in the first place is really the one the client wanted to set. I agree that this is a hard problem with no clear solution, although SSL/TLS seems to do a pretty good job of it.

I was also discussing the problem that the server should not be able to log into another server as the client using that information. The most well-known example is probably SSH's public key login scheme where the server knows only the public key and the client knows the private key and never needs to reveal any of the private key to the server in order to log in. Similarly, a server can know only a hash of a client's password (concatenated with a salt and possibly some other info) and the client can prove it knows the password without actually telling the password to the server (for example, by the method used in HTTP digest auth of concatenating the password hash with some challenge and then hashing it again, note that the server can login to another server that has the exact same password hash in that case, but in a properly setup system, that never happens).

Re:The false belief of security through obscurity.

[sexconker]

The issue of one server sending the credentials forward to another server (thus posing as the user) should never occur - two distinct services should have two distinct secrets.

Passing the data around in a "hash this" scenario lets you use the same secret for many services without revealing the secret to the server, sure.

But the point of an authentication system is to establish trust - if you don't trust the server you're using, you shouldn't be trusting them with your secret in the first place.

Feeding a server your hashed shit is safer than the server knowing your secret outright. But it's not as safe as having separate secrets for separate services.

Everything you hash and forward on is fodder for someone to use if they decide they want to figure out your key. There are mathematical attacks that use the public key and known-good hashes of many (and specific) strings. They bring the cracking time down from astronomical to feasible.

Wrong Impression?

[Dareth]

I had the impression that we paid money to SSL certificate providers because they provided security and identify confirmation. Maybe that was just a wrong impression.

Re:Wrong Impression?

[John+Hasler]

You pay money to certificate providers so that your customers won't be frightened away by scary browser warnings.

Re:Wrong Impression?

[The+MAZZTer]

If phishing attacks are any indication, the scary browser warnings don't work anyway.

Re:Wrong Impression?

[muckracer]

> You pay money to certificate providers so that your customers won't be
> frightened away by scary browser warnings.

Which they get anyway....and next ignore. Yippie Skippy!

While the SSL crypto part is pretty neat, I always felt the commercial CA
thing is one of the biggest money-making rip-off's in the entire IT field.
Nor do I believe it to be secure or "trust" it. We always assume MITM's to be
someone without access to the CA's themselves. Frankly, the people I worry
more about are those, that DO have access to the CA's and are thus able to
create perfectly valid certificates at a whim for any application, incl. a
chained MITM attack. SSL is, IMHO, not in any shape safe from certain
government intrusions. Ironically, likely due to the so-called "trust" model
it employs.

Re:Wrong Impression?

[John+Hasler]

The warnings work well enough to cost you more than than price of the certificate.

Re:Wrong Impression?

[amorsen]

Indeed. GPG and SSH have workable trust models. Not perfect, but workable. The model in TLS is just wrong. Anything which requires me to trust the (hopefully merely incompetent) people working for Verisign is a loss.

Re:Maybe because the "hackers" are writing the cod

[Hatta]

Never attribute to malice that which may be adequately explained by incompetence. There is of course always the possibility that someone would do this on purpose. But I still trust people who let us see the code more than those who don't.

ZRTP

[cool_arrow]

I've been reading about ZRTP http://en.wikipedia.org/wiki/ZRTP as it relates to VOIP. I was wondering if it might have some use for these types of problems.

How does this compromise SSL?

[Dan+Ost]

I read the first article (second won't load...probably hosed by the /. effect) and it's still not clear to me why this is a big deal. Can someone explain how injecting prefixes compromises my secure datastream?

Re:How does this compromise SSL?

[TheNinjaroach]

From what I understand, the MITM could "swallow" the original HTTP request from the client, inject their own URL (with parameters in the query string) into the request all while continuing to forward the client authentication cookies. Imagine prefixing an HTTP GET request for a poorly written webapp: GET bad.webapp.com/payment/send.php?account=12345&amount=1000000000.00 HTTP/1.1

Re:How does this compromise SSL?

[Burdell]

Let's say you are paying your mortgage, putting in your bank account information for a transfer. An attacker could inject additional HTML (Javascript, etc.) that sends your response to the attacker's server instead of the mortgage company's server, compromising your account info.

Or a simpler attack would be the bank's online banking login page: again, inject additional HTML to the bank's response, and now you submit your username/password to the attacker's server.

re: How does this compromise SSL?

You're right, this isn't a big deal. What they're describing is essentially a very complicated CSRF. The upshot is that you can get the user's browser to visit a URL of your choosing, but you can't see the results from that page. Sound familiar? That's because all you'd have to do is embed an IMG tag in some HTTP that the user is getting back in order to accomplish the exact same thing -- no fragile renegotiation attack required.

Thank you security industry for all the hype.

Re:How does this compromise SSL?

Actually, this isn't true. This attack only allows for injecting data into the request from the client to the server. The attacker doesn't even get to see the result, much less modify it.

Basically, the only thing the attacker gets is the ability to make the client's browser request whatever the attacker wants. You know, the kind of thing you could do with a simple injected IMG tag.

Re:How does this compromise SSL?

[savanik]

Effectively, if they're between you and your server, 'click here to own this connection.'

I just talked with the resident encryption guru here - as long as the attacker is between you and the server you're connecting to, with this bug you can inject arbitrary data in front of the target encrypted packet. Some of the data you can inject includes commands, such as, 'By the way, send the rest of this connection to this IP over here, keep the authentication details but renegotiate the encryption.' In other words, 'Keep authentication but talk to the attacker's PC instead.'

Re:How does this compromise SSL?

[radtea]

Basically, the only thing the attacker gets is the ability to make the client's browser request whatever the attacker wants.

Oh, is that all? So for example, you can serve something that looks like my bank's home page but originates on your server.

Then when I enter my user name and password your server collects them, and if you're feeling particularly clever redirects me back to my bank's real site. Now you have access to my account, and I'm none the wiser.

This is far more serious than image loading, because you can serve arbitarary web pages to me. As others here have pointed out, you could even serve my bank's authentic webpage but with some added javascript to just forward my username and password to you. Can you do that with an embedded image tag?

No, I didn't think so.

Re:How does this compromise SSL?

[WhiplashII]

Let's say you have a web service exposed to your clients that processes orders. The error allows an arbitrary amount of data to be injected into the beginning of the client request - so the "bad guy" takes your request:

      POST /OrderTheFrogs HTTP/1.0
      content-length: 20

      < xml >< orderafrog number=1/ >< address > my address < /address > < /xml >

And converts it to:

      POST /OrderTheFrogs HTTP/1.0
      content-length: 24

      < xml >< orderafrog number=100/ >< address > evil address < /address > < /xml >

      POST /OrderTheFrogs HTTP/1.0
      content-length: 20

      < xml >< orderafrog number=1/ >< address > my address < /address > < /xml >

by using this attack to insert the evil request before yours. Now 100 items are sent to the evil address, and presumably are billed to you!

Re:How does this compromise SSL?

Dude, no. This attack does not allow me to impersonate any website. It does not allow me to intercept your credentials. It does not allow me to read *anything*. All it allows me to do is make your browser request a page from a *legitimate server*, without me being able to see the response. It is functionally identical to me passing you an IMG tag for a link that your browser follows. There is literally no advantage over more sane CSRF techniques.

Re:How does this compromise SSL?

[omuls+are+tasty]

Erm, no, you're getting it wrong. What this attack means is that the attacker gets the ability to make arbitrary requests for resources on behalf of the user.

So no, it doesn't mean that the attacker can now serve you malicious web pages that will appear to be coming from your bank's web site. What it does mean is that once you go to a secure page on your bank site, the attacker can instruct the bank to transfer money from your account to his, without you ever knowing. This is kind of similar to the IMG tag attack but it's more difficult to defend against.

Re: How does this compromise SSL?

[omuls+are+tasty]

The key difference is that with IMG tag the attacker can only get the user's browser to make GET requests, whereas this attack enables POST requests as well. Any reasonably well-designed online banking application should not be exploitable via GET requests.

Also, the attack vector here is different compared to a "regular" CSRF through XSS. Which one is more practical is open to debate.

Re:How does this compromise SSL?

[phantomcircuit]

So it's really not that big of a deal for HTTPS. Attacks exactly like that already exist, they are called cross site request forgery. However this is a significant attack against other SSL wrapped protocols.

Re:How does this compromise SSL?

[CompMD]

As Admiral Kirk taught us when facing Khan, when you inject prefixes over a datastream like a comm channel to another Starfleet vessel, you can take command of their consoles and lower their shields.

Re:How does this compromise SSL?

[WhiplashII]

Well, it's slightly bigger than that. With a cross site request forgery, the cert is off. So it can be detected pretty easily. With this, the client doesn't necessarily know that it happened.

That said, there aren't that many case where this can be exploited really.

Re:How does this compromise SSL?

[Lehk228]

"prefix" contains an HTML page that looks like your bank page, and asks for your bank password, and your browser "confirms" that you really are at your bank's website.

Re:This is news? Come on!

[bluefoxlucid]

The funny part is a lot of people argue, strongly, that self-signed certs aren't any less secure than CA-signed certs.

When routing, you have a default gateway IP... no, that's wrong. You configure such a thing; but what you have is an ARP request finding the MAC of the default gateway (say 10.0.0.1 -> 00:11:22:AA:BB:CC). Not sending to the local network? Slap that MAC as the target packet; the router interface gets the packet, reads the IP, says "Hmm that's not my IP address," checks routing table, slaps a new MAC on, and transmits out the appropriate interface.

Well, if I'm at a point where I can eaves drop your packet (self-signed certs protect against eavesdropping), say on your Wifi AP, I can send a spoofed ARP response at you. Knock off your ARP table entry, replace 10.0.0.1's entry with DD:EE:FF:11:23:45 (mine). Now you'll send the packet to me; I MitM you; then I slap on 00:11:22:AA:BB:CC as the destination addr of the new packet and it routes as normal.

ALL SSL attacks are MitM attacks. An eaves drop attack is a lazy MitM that could become an active MitM if he cared. Mitigation is complex and prone to causing catastrophic breakage; in uncontrolled environments it causes breakage immediately, and in huge controlled environments (corporate LAN) it becomes impossible to reconfigure things on the fly without causing a network storm and outages-- and mistakes require manually walking to each affected machine to undo them.

Note that many people, of course, don't understand SSL. Many programmers get the implementation wrong (it supplies encryption; ignore all these weird certificate anomaly bullshits, shit's encrypted so it's fine). Users don't know what they're worrying about. Notice further that SSL is very well designed, but on like version 4? (SSL3.0 -> TLS1.0) The designers are well aware that the issue is hard to understand, and that they've not gotten it quite right yet; they are, however, intelligent, and managing a pretty fucking good job.

Re:This is news? Come on!

[ArsonSmith]

The difference here is that the client thinks it has a "verified" secure connection to the named host. Other SSL MiM attacks work by providing a fake certificate.

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

Also. Toggling these flags does not require restarting Firefox.

SSL is broken and the world has ended?

Most people don't use client authentication and there is typically little reason to ever configure a server to change ciphers or otherwise initiate renegotiation.

If the server does not initiate renegotiation the MITM attack does not apply! This is why there is such focus on client authentication because this is realistically the only real world case where renegotiation makes any logical sense. Sure you can dream up other scenarios where the server forces you to use a higher strenght cipher to access specific content but realistically this is nonsensical. Operators make a global stand WRT cipher strength at the site level.

TLS was written back in the day when we had low and ultra low export quality ciphers and more international encryption issues than exist today. All sane operators have since disabled these and all browsers that matter have reasonably high strength ciphers available to them mitigating any reason to renegotiate.

Yes it should be fixed.
No its not the end of the world.

Re:Disabling SSLv3 in Firefox

[Nursie]

Of course it is! This is terrible advice!

SSLv2 isn't widely used any more precisely because it's got systemic vulnerabilities. What's needed is a new revision of the protocol or the removal of the renegotiation feature.

goodness

[MagicM]

Phew! 2 hours later and only 51 comments. This must not be a big deal.

Y'all had me worried there...

Re:goodness

[6Yankee]

I think it's more that most of us don't understand this stuff. I know I don't, and freely admit it.

Admittedly, I've never had to touch SSL (and if I did, you can be damned sure I'd be learning it inside out), but if I'm a web developer and don't understand it, how can we expect Joe Sixpack to?

Re:goodness

[buchner.johannes]

It is a complex issue that has no simple/obvious solutions. That's why the usual blah is not occurring.

It is a huge thing because we used to design web services ala 'Slap SSL onto it, and traffic can not be modified and wiretapped' (assuming the server cert is right).
That beauty of SSL, just to add a layer that will take care of it all, is gone ... as the pdf states, even if no client certs are involved, the current protocols and all client/server software is vulnerable, and at least some of the attack scenarios are not uncommon.

all in all -> :-(

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

The systemic problems in SSLv2 seem less-bad than this flaw in SSLv3.
I will take the truncation of encrypted messages or attempt to downgrade the protocol (which as noted Firefox restricts anyway so it won't have much effect) any day over a replay attack.

The removal of the renegotiation and fixing of the protocol are excellent in medium-to-long-term.
But as a user, right now, I'm using banks that *will* have that feature.

Reverting to SSLv2 is the only viable option apart from doing all my finances in person.

I'm interested in seeing what your non-terrible advice is.

Re:Disabling SSLv3 in Firefox

[MisterSquid]

I am not a developer or security expert, but I know quite a bit about Internet services (run my own LAMP server locked as tight as I can afford on a hobbyist's budget) and I do what I can.

Firefox disabled by default ssl2. In 2006, wrote a post telling users how to reenable ssl2 in Firefox. One of my main users (and my fiance) gets lots of Firefox was running into errors. So, I disabled ssl2 in /etc/apache2/httpd.conf.

And now this.

So here is my big giant “fuck off” for the Firefox engineers and managers who collectively disabled ssl2 support to encourage server admins to shut off ssl2 support, even as I suspected all cryptography at the practical level is broken.

Yeah, I know security is a process, not a product, but if this is the case, then “encourging” admins to use one version of a protocol by disabling one is just the engineering version of “I know better than you so follow my lead.”

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

Not sure what this "most sites" is - all the banking sites I've checked so far.
(i.e. sites where SSL actually matters) worked fine w/ SSLv2 turned on and SSLv3 turned off.

So far the sites that force SSLv3 are far less crucial to me, like addons.mozilla.org.

Another one! Is the Web fundamentally insecure?

[John+Hasler]

They just keep coming. Is the Web fundamentally, unfixably, insecure?

(That's the Web, not the Net)

Re:Maybe because the "hackers" are writing the cod

[AbbeyRoad]

> "Never attribute to malice that which may be adequately explained by incompetence."

this is MY line. f765ing plagiarist

-paul

Re:This is news? Come on!

[petermgreen]

ALL SSL attacks are MitM attacks. An eaves drop attack is a lazy MitM that could become an active MitM if he cared.
Somewhat true.

One big downside of being an active MITM is it makes it much easier to get caught. If some peice of software doesn't behave in the way you expect or maybe someone manually verifies a certificate then the tampering may be reveled. Depending on how much influence they have they may then start looking for you.

Re:Disabling SSLv3 in Firefox

[Nursie]

And your certainty that SSLv2 is not vulnerable to this same problem comes from?

And have you tried watching a session with your bank? Set up an ssl-dumping proxy and see if there are any renegotiations. I'm guessing not. This only occurs where the server needs a client certificate (not your bank) or the cipher suites are going to change (not going to happen on a "normal" TLS connection.

My non-terrible advice? It's not going to affect 99% of anything anyone does unless someone figures out a way to force the renegotiation.

Client certificates only? is this important?

[Xylantiel]

The linked articles only discuss authentication via client certificates, which seems pretty rare currently. How does this vulnerability actually impact the "usual" web commerce usages of SSL, which involves a server certificate? Also it does not appear that there is any way to force a re-negotiation from outside. And while re-negotiation appears common for client certs, I would expect it to be somewhat uncommon for server certs except for the initial up-negotiation to a secure connection for TLS. How important is this for the common-use cases of e-commerce and banking?

Re:Client certificates only? is this important?

[buchner.johannes]

The linked articles only discuss authentication via client certificates

Not true. From http://extendedsubset.com/Renegotiating_TLS.pdf :

Cases not involving client certificates have been demonstrated as well.

It is a complex issue that has no simple/obvious solutions. The current protocols and almost all client/server software is vulnerable, and at least some of the attack scenarios are not uncommon.

Re:Client certificates only? is this important?

[trifish]

> and at least some of the attack scenarios are not uncommon.

That sentence is modded informative? Where is the informative part? WHICH scenarios? References?

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

I had no certainty. I was simply taking the 3.0+ in the summary at face value.
However:
http://extendedsubset.com/Renegotiating_TLS.pdf
Says:
"including SSL v3 and previous"
So, I suppose that was simply inaccurate and I should have read thoroughly.

Now on to second part of your comment. If any part of the banking website supports client certificates, for any reason, it seems a renegotiation can be trivially triggered by the attacker.

Anyway, the portion:
"Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line "X-Swallow-This: ". That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request."

Is a pretty severe attack as well and I don't see any safety from that one.

Re:Disabling SSLv3 in Firefox

[Nursie]

Do you make your clients authenticate their SSL connections with a client-side certificate?

If not then you're probably just fine with SSLv3. Look out for patches to your server to be issued soon that either disable cipher renegotiation completely or make it a config option.

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

Reading up on it, it does seem to be TLS only which would suggest SSLv3+/TLS1.0+ only.

In the absence of any evidence to the contrary, SSLv2 is still the best solution, and I don't find your advice in the least bit comforting.

Re:Summary is WRONG!

[Derek+Pomery]

My actual reading of the PDF suggests this is a TLS protocol problem only.
Thus TLS1.0+ and SSLv3+

So. Unless you can tell me SSLv2 is vulnerable, using it still seems best choice.

Re:Here is a good joke

[tom17]

And what exactly is a Man In The Mirror attack?

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

According to TFA, I see no reason to believe your advice is in the least bit correct.
The injection is still bad even w/o the replay attack.

Re:Disabling SSLv3 in Firefox

[Nursie]

"Now on to second part of your comment. If any part of the banking website supports client certificates, for any reason, it seems a renegotiation can be trivially triggered by the attacker."

How?

The way I'm reading the vulnerability, the attacker can only gain access to the data stream AFTER renegotiation, so how does he trigger it? He can't insert traffic into the encrypted stream.

Re:Disabling SSLv3 in Firefox

[Nursie]

According to TFA you need a server renegotiation in order to allow this injection. FAIL.

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

Well, as I see it...

If he is in the middle, he just has to force you to access a client certificate portion of the bank's website.
He can do this by inserting a fetch for that data into some other request that you perform.
And you don't even necessarily have to be doing any unencrypted browsing at the same time, due to the 2nd portion of the attack, seems he can insert unencrypted headers which could do a redirect.

And of course if you *did* do any unencrypted browsing in another window, a JS payload could be used at that point to do the load of the client cert protect portion at his convenience.

Re:Maybe because the "hackers" are writing the cod

[Dragonslicer]

When a buffer overflow leads to privileges then you have to wonder whether the coders made an honest mistake or whether somebody paid them to sneak in a backdoor or two.

Well, I know what I'm buying you for a birthday gift: a lifetime supply of tin foil.

Re:Disabling SSLv3 in Firefox

[Derek+Pomery]

From. "TFA"
(and gosh you and mr anonymous coward enjoy using "FAIL" don't you)

====
Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line "X-Swallow-This: ". That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request.
====

Bypassing Behavioral Filters

[mebrahim]

This attack might be used for bypass behavioral network filters used for blocking SSL and TLS connections.

And they do.

[SanityInAnarchy]

You're confusing a single vulnerability with a systemic problem. When this is fixed, that's what SSL certificate providers will do again.

Re:Here is a good joke

[Jim+Efaw]

And what exactly is a Man In The Mirror attack?

I don't know, but it probably involves a "special underwear" packet.

(It's worse than you think: I blew the chance to use moderator points on this post just to make that joke. See what I do for you folks?)

Educated Guesswork link with explanation

[owlstead]

I think this blog site explains best:

http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

Re:Clever

[owlstead]

Not unencrypted, just unauthenticated. The attacker will do the initial connection in which the client is not yet authenticated. Any data send at that time should not be trusted to come from the client, including any GET requests. This is a problem when the page is in a protected domain *and* the first page is accepting information from e.g. a GET request to fill in forms and such. Then the response will be encrypted for the authenticated user only, but the attacker still could inject information to the server.

This also goes for other protocols that use the same mechanism (accepting yet unauthenticated information) and also works when key-renegotiation takes place.

There are tree ways to fix this: 1) servers should not treat the initial request information as authenticated, 2) servers should not do renegotiation and 3) fix the TLS protocol so that the initial request *can* be trusted. The last one would be the best option, but fixing a protocol takes time.

Hope that explains it.

Re:This is news? Come on!

[jonadab]

Attacks based on using the MAC (or anything else related to the data link layer) require the attacker to already be on the local network segment. An upstream middle-man attacker can't do that stuff, because routers (well, sane routers anyway) don't forward anything below the network layer.

That doesn't mean such attacks have no relevance at all. The principle of defense in depth dictates that you *do* want to defend, as much as possible, against attacks originating on the LAN. But these attacks are not as prevalent or dangerous as ones that can be perpetrated from a remote or upstream system, such as the MITM vulnerability discussed in the article.

Re:This is news? Come on!

[jonadab]

> The funny part is a lot of people argue, strongly, that
> self-signed certs aren't any less secure than CA-signed certs.

It's not significantly harder for the bad guys to get a CA-signed cert than it is for the good guys. Ipso facto, CA signing does not add any significant security. It only *seems* to do so, if you ignore the question of who can get a certificate.

What does add significant security is if the client software flashes big red glowing alarm bells if the certificate changes compared to last time. OpenSSH does this. Mail clients don't and definitely should. Web browsers don't and perhaps should (although there would need to be some provision for legitimately transitioning to a new certificate without setting off said alarms, which in order to be secure would require nontrivial design changes to the way https certs are handled on the server as well as the client).

The lesson here is that application of encryption often results in an overall system that is much weaker than you might think based on the strength of the encryption itself. When you are looking at designing a secure system, selecting strong encryption can be useful, but only if you apply it in a secure way. It is my considered opinion that the use of SSL on the web adds very little security -- not due to any inherent flaw in the design of SSL, but due to the way in which https uses it.

Re:This is news? Come on!

[bluefoxlucid]

Routers are often physically point-to-point, connected either to a network segment with exactly 1 router on it or directly to another router. Physically eaves dropping across these links is impossible.

In any other layout, you've got a router plugged into a switch. ARP spoofing can break the switch, in no greatly useful way. Still, the routers are configured (I've done this) in the same way as hosts: the next hop is a network address, which they ARP for the IP address of (unless you add a static ARP table, which can be done, but nearly nobody bothers).

Upstream attacks that aren't at either endpoint have little relevance because physical topology barely allows for them.

When has PGP failed?

[elucido]

Show me an example of a PGP failure.

What password is that?

[elucido]

What password of random characters can you actually store in your mind and how many? If anyone actually has access to your machine then all your passwords are useless. Assuming your passwords cannot be cracked is silly. The smartcard removes the need to enter a password into a machine, this prevents remote users from using a software keylogger.

Passwords are why everyone is so easy to hack today. Nobody picks a secure password because those passwords cannot be remembered, and the passwords which can be remembered can usually be cracked. Smartcards are as secure as credit cards, passwords aren't very secure because you have to type them into a computer and thats writing it down for everyone to see.

Assuming people are noble is why you got Enron.

[elucido]

Individuals who base their worldview on the assumption that the world is not a corrupt place are always shocked by financial collapses, or corrupt politicians, or corrupt cops. When are you going to figure out that people are inherently selfish, inherently corrupt, and they aren't looking out for your best interest?

Yes some are incompetent, but if there is financial incentive to be corrupt then you should consider the possibility of corruption based on the amount of incentive and not on any assumption.

We warned you about the mortgage crisis.

[elucido]

And you didn't listen, because you focused on our tin foil hats. Good luck.