Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Renegotiation Attack Becomes Real

Posted by kdawson on from the laugh-a-while-you-can dept.

rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."

12 of 97 comments (clear)

  1. Re:Just one phrase that fits. by Bottles · · Score: 4, Funny

    Or 'Goodness, old boy, that's dashed inconvenient!' for us Brits. So two phrases. Gosh.

  2. Well, I suppose thats another Benefit of Twitter.. by Monkeedude1212 · · Score: 5, Funny

    It's nice to have a Sandbox for testing the latest and greatest hacks and security protocols, where no one cares about the user and/or what information they've posted on the site.

  3. Kinda bad summary by Virak · · Score: 5, Insightful

    Important part of the article:

    He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.

    The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.

    1. Re:Kinda bad summary by teh_commodore · · Score: 5, Insightful

      Oh good. We're totally fine. It only works on sites that are poorly designed. And Twitter's been patched, so that leaves, well, I guess no one.

      --
      --"insert clever quote here"
    2. Re:Kinda bad summary by teh_commodore · · Score: 4, Interesting

      1) Which banks have an open-to-the-public API?

      2) Let's assume you have an answer to 1). The exploit involves dumping text to a public message. If your bank has any sort of messaging feature, it's private. Hell, if your tweets are private on twitter, you were never in danger in the first place.

      --
      --"insert clever quote here"
  4. Good explanation of the bug by TLS spec author by cullenfluffyjennings · · Score: 5, Informative

    A good source of info about what this attack is and how serious it is can be found at
    http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

  5. Kinda bad article by Virak · · Score: 4, Informative

    Well, I suppose it's my own fault for trusting The Register. After reading the first article, I got curious and went on to check out the technical details of the exploit. What The Register phrases as "it's Twitter's API's fault" is actually "holy fuck you can POST the whole HTTP message to arbitrary locations (hosted on the same server, anyway)", which is a tad bit worse. While the Internet still isn't going to go down in flames, this does open up potential for some sites to get some nasty burns, and in a way they almost surely won't already be protected against, even if the developers aren't idiots.

  6. Re:theregoestheinternet? Not so fast! by cduffy · · Score: 4, Informative

    You could actually read the rest of the article, in which it indicates that this is not merely a CSRF-equivalent attack (as it was originally taken to be), as opposed to just reposting an out-of-context snippet chosen to make the editors look bad.

  7. Re:Just one phrase that fits. by crymeph0 · · Score: 4, Informative

    Apparently just a specific subset, though it would probably be easy to find other websites with vulnerabilities similar to Twitter's. Basically, although he couldn't directly read the encrypted user name and password passed between Twitter servers and clients, he was able to exploit functionality in Twitter's public API to log the data from the request to a location he could access, including the stuff that had been encrypted in transit.

    --
    It should be illegal to say that freedom of speech should be limited.
  8. Securing Servers by StartCom · · Score: 4, Informative

    Obviously such attacks are possible because of the application security, renegotiation just makes it easier. BTW, here is a tool to check if your server is vulnerable to renegotiation attacks: https://www.ssllabs.com/ssldb/

    BTW, clients (e.g. browsers) are pretty save - there is NO need to panic!!

  9. Re:Not worried, fixed already by Anonymous Coward · · Score: 5, Insightful

    You are forgiven for the error. Anyone using a letter that could be mistaken for a number in any software version string should be cockpunched with brass knuckles coated in broken glass and lemon juice

  10. Re:The sky is falling by socceroos · · Score: 4, Insightful

    People ought to stop blaming "The Web" as being inherently insecure. As much as you drill down into it, when party1 communicates with party2 and party1 isn't intimately familiar with party2's identity then transactions of information will always be prone to being exploited. This goes for human interaction (face to face) as well as human-to-computer interaction.

    Frankly, I'd rather have an insecure internet than have an internet where everyone's identity was fully exposed and documented.