Slashdot Mirror

← Back to Stories (view on slashdot.org)

Man-In-the-Middle Vulnerability For SSL and TLS

Posted by Soulskill on from the alphabet-soup dept.

imbaczek writes "The SSL 3.0+ and TLS 1.0+ protocols are vulnerable to a set of related attacks which allow a man-in-the-middle (MITM) operating at or below the TCP layer to inject a chosen plaintext prefix into the encrypted data stream, often without detection by either end of the connection. This is possible because an 'authentication gap' exists during the renegotiation process, at which the MitM may splice together disparate TLS connections in a completely standards-compliant way. This represents a serious security defect for many or all protocols which run on top of TLS, including HTTPS."

26 of 170 comments (clear)

  1. We need to invest in Quantum Physics. by jellomizer · · Score: 4, Funny

    Only with quantum physics can we actually get a secure data transfer. Or not or both.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:We need to invest in Quantum Physics. by PiSkyHi · · Score: 5, Funny

      Come on moderators, its a joke - Yes, I realise its both funny and not funny at the same time.

    2. Re:We need to invest in Quantum Physics. by L4t3r4lu5 · · Score: 3, Insightful

      Unfortunately, that's incorrect. By hearing (reading) the joke, you have observed its state. This has destroyed the alternative quantum state of the joke.

      What will really irritate quantum physicists in this instance is that, unfortunately, the joke is both funny and unfunny at the same time. The state of the joke relies upon the opinion of the observer, not any quantum juxtaposition.

      In fact, I'm not so sure this is related to quantum phy... Oh.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    3. Re:We need to invest in Quantum Physics. by mcgrew · · Score: 3, Funny

      Damn you, Quantum Physics!!

      --
      Free Martian Whores!
  2. Re:oh joy by toleraen · · Score: 2, Insightful

    If the only place the exploiters were getting their info from was Slashdot, this world would be a much more secure place, and the attacks that did make it through would have more ponies.

  3. Re:oh joy by Albanach · · Score: 4, Insightful

    Millions of potential exploiters didn't know about it, until now.

    Millions of ordinary people didn't know there was a vulnerability until now. Who knows how many bad guys knew already though?

    Knowing of a potential vulnerability allows people to alter their behaviour if they deem that an appropriate response. Systems administrators can examine setups to see if they can use other methods to secure communications and it also allows all those who have written applications to examine their code.

    I'd rather know of a vulnerability and respond, than not know while others are potentially exploiting it.

  4. Re:oh joy by think_nix · · Score: 4, Informative

    I wouldn't be so sure on that, anyone can read a mail-listing Ill quote this from Marsh Ray on the ietf mail list:

    I can confirm the severity of the TLS MITM bug. I've had a working
    exploit going since the end of August.

    Steve Dispensa and myself put together (with help of many of course) an
    industry working group to address it. I think we were successful in
    producing a preliminary fix, which vendors are in various stages of
    testing and deployment.

    We'd agreed to responsibly delay disclosure to give the industry time to
    coordinate the fix.

  5. Its a quantum man in the middle attack by Viol8 · · Score: 5, Funny

    Its the same man in all 3 places.

  6. Dissabling SSL re-negotiation? by AbbeyRoad · · Score: 4, Insightful

    Am OpenSSL patch (http://www.links.org/files/no-renegotiation-2.patch) disables SSL
    renegotiation, closing the security hole.

    But let me ask this : who would ever require SSL renegotiation in practice?

    I mean seriously -- changing the cipher in the middle of an SSL session??
      -- no mainstream scenario would ever do this.

    A question comes to mind why renegotiation was ever supported in the first place.

    The next question is what OTHER seldom-used "features" are supported by
    most SSL implementations that are just supported so that the implementation
    can claim full RFC compliance, but are never actually used by real web sites.

    My own SSL builds disable everything except RC4-*-RSA

    1. Re:Dissabling SSL re-negotiation? by dopodot · · Score: 5, Informative

      It's more than changing the cipher type, it's also negotiating up from anonymous client to verified client. The second situation occurs ALL THE TIME in web services that require different levels of trust for different content within the same site. So it's not a "seldom-used" feature in the least.

    2. Re:Dissabling SSL re-negotiation? by John+Hasler · · Score: 2, Insightful

      > The second situation occurs ALL THE TIME in web services that require
      > different levels of trust for different content within the same site.

      Don't do that.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    3. Re:Dissabling SSL re-negotiation? by Anonymous Coward · · Score: 5, Informative

      "But let me ask this : who would ever require SSL renegotiation in practice?"

      from,

      http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html

      SSL renegotiation is useful in the following situations, once you have established an ordinary SSL session:

              * When you require client authentication
              * When you are using a different set of encryption and decryption keys
              * When you are using a different set of encryption and hashing algorithms

      The last two are kind of useless in practice. The first one is very useful to authenticate the client. Actually, if this is the only way to verify client cert, then SSL renegotiation is vital part of SSL.

    4. Re:Dissabling SSL re-negotiation? by Anonymous Coward · · Score: 2, Informative

      Umm, you want to rotate your block ciphers on long-running connections. Saying this isn't useful in practice implies that you must reset connections and recover at the application level instead, or risk using the same block ciphers for too long.

  7. Wrong Impression? by Dareth · · Score: 2, Insightful

    I had the impression that we paid money to SSL certificate providers because they provided security and identify confirmation. Maybe that was just a wrong impression.

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
    1. Re:Wrong Impression? by John+Hasler · · Score: 5, Insightful

      You pay money to certificate providers so that your customers won't be frightened away by scary browser warnings.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:Wrong Impression? by muckracer · · Score: 2, Insightful

      > You pay money to certificate providers so that your customers won't be
      > frightened away by scary browser warnings.

      Which they get anyway....and next ignore. Yippie Skippy!

      While the SSL crypto part is pretty neat, I always felt the commercial CA
      thing is one of the biggest money-making rip-off's in the entire IT field.
      Nor do I believe it to be secure or "trust" it. We always assume MITM's to be
      someone without access to the CA's themselves. Frankly, the people I worry
      more about are those, that DO have access to the CA's and are thus able to
      create perfectly valid certificates at a whim for any application, incl. a
      chained MITM attack. SSL is, IMHO, not in any shape safe from certain
      government intrusions. Ironically, likely due to the so-called "trust" model
      it employs.

  8. Re:Maybe because the "hackers" are writing the cod by Hatta · · Score: 3, Informative

    Never attribute to malice that which may be adequately explained by incompetence. There is of course always the possibility that someone would do this on purpose. But I still trust people who let us see the code more than those who don't.

    --
    Give me Classic Slashdot or give me death!
  9. re: How does this compromise SSL? by Anonymous Coward · · Score: 2, Informative

    You're right, this isn't a big deal. What they're describing is essentially a very complicated CSRF. The upshot is that you can get the user's browser to visit a URL of your choosing, but you can't see the results from that page. Sound familiar? That's because all you'd have to do is embed an IMG tag in some HTTP that the user is getting back in order to accomplish the exact same thing -- no fragile renegotiation attack required.

    Thank you security industry for all the hype.

  10. Re:How does this compromise SSL? by Anonymous Coward · · Score: 3, Interesting

    Actually, this isn't true. This attack only allows for injecting data into the request from the client to the server. The attacker doesn't even get to see the result, much less modify it.

    Basically, the only thing the attacker gets is the ability to make the client's browser request whatever the attacker wants. You know, the kind of thing you could do with a simple injected IMG tag.

  11. Re:Disabling SSLv3 in Firefox by Nursie · · Score: 4, Insightful

    Of course it is! This is terrible advice!

    SSLv2 isn't widely used any more precisely because it's got systemic vulnerabilities. What's needed is a new revision of the protocol or the removal of the renegotiation feature.

  12. Re:How does this compromise SSL? by radtea · · Score: 2, Informative

    Basically, the only thing the attacker gets is the ability to make the client's browser request whatever the attacker wants.

    Oh, is that all? So for example, you can serve something that looks like my bank's home page but originates on your server.

    Then when I enter my user name and password your server collects them, and if you're feeling particularly clever redirects me back to my bank's real site. Now you have access to my account, and I'm none the wiser.

    This is far more serious than image loading, because you can serve arbitarary web pages to me. As others here have pointed out, you could even serve my bank's authentic webpage but with some added javascript to just forward my username and password to you. Can you do that with an embedded image tag?

    No, I didn't think so.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  13. Re:How does this compromise SSL? by WhiplashII · · Score: 2, Informative

    Let's say you have a web service exposed to your clients that processes orders. The error allows an arbitrary amount of data to be injected into the beginning of the client request - so the "bad guy" takes your request:

          POST /OrderTheFrogs HTTP/1.0
          content-length: 20

          < xml >< orderafrog number=1/ >< address > my address < /address > < /xml >

    And converts it to:

          POST /OrderTheFrogs HTTP/1.0
          content-length: 24

          < xml >< orderafrog number=100/ >< address > evil address < /address > < /xml >

          POST /OrderTheFrogs HTTP/1.0
          content-length: 20

          < xml >< orderafrog number=1/ >< address > my address < /address > < /xml >

    by using this attack to insert the evil request before yours. Now 100 items are sent to the evil address, and presumably are billed to you!

    --
    while (sig==sig) sig=!sig;
  14. Re:Use PGP/GNUPG auth by schon · · Score: 4, Insightful

    Let the user [...] be responsible for their own security

    Yes, because as all of the botnets have shown, that works so well in practice.

  15. Client certificates only? is this important? by Xylantiel · · Score: 4, Interesting

    The linked articles only discuss authentication via client certificates, which seems pretty rare currently. How does this vulnerability actually impact the "usual" web commerce usages of SSL, which involves a server certificate? Also it does not appear that there is any way to force a re-negotiation from outside. And while re-negotiation appears common for client certs, I would expect it to be somewhat uncommon for server certs except for the initial up-negotiation to a secure connection for TLS. How important is this for the common-use cases of e-commerce and banking?

    1. Re:Client certificates only? is this important? by buchner.johannes · · Score: 2, Informative

      The linked articles only discuss authentication via client certificates

      Not true. From http://extendedsubset.com/Renegotiating_TLS.pdf :

      Cases not involving client certificates have been demonstrated as well.

      It is a complex issue that has no simple/obvious solutions. The current protocols and almost all client/server software is vulnerable, and at least some of the attack scenarios are not uncommon.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  16. Re:How does this compromise SSL? by omuls+are+tasty · · Score: 2, Informative

    Erm, no, you're getting it wrong. What this attack means is that the attacker gets the ability to make arbitrary requests for resources on behalf of the user.

    So no, it doesn't mean that the attacker can now serve you malicious web pages that will appear to be coming from your bank's web site. What it does mean is that once you go to a secure page on your bank site, the attacker can instruct the bank to transfer money from your account to his, without you ever knowing. This is kind of similar to the IMG tag attack but it's more difficult to defend against.