Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL/TLS Vulnerability Widely Unpatched

Posted by Soulskill on from the never-put-off-until-tomorrow-what-you-can-forget-entirely dept.

kaiengert writes "In November 2009 a Man-In-the-Middle vulnerability for SSL/TLS/https was made public (CVE-2009-3555), and shortly afterwards demonstrated to be exploitable. In February 2010 researchers published RFC 5746, which described how servers and clients can be made immune. Software that implements the TLS protocol enhancements became available shortly afterwards. Most modern web browsers are patched, but the solution requires that both browser developers and website operators take action. Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix. Here is an exemplary list of patched and unpatched sites, along with more background information. The patched sites demonstrate that patching is indeed possible."

9 of 103 comments (clear)

  1. Not as surprising as it should be by Tarlus · · Score: 4, Insightful

    Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems. Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix.

    Lately we've also been finding out that many major websites are storing passwords as plain text and are untested against SQL injection. So it's unsurprising that they're also unpatched.

    Web servers need to be actively watched, maintained and scanned for vulnerabilities. Just because it's a LAMP server doesn't mean it's rock-solid. The fire-and-forget philosophy does not apply.

    --
    /* No Comment */
    1. Re:Not as surprising as it should be by Anonymous Coward · · Score: 4, Funny

      You can't patch a stupid divaloper.

      Diva-loper:
      1. (n) A portmanteau of diva and interloper. It describes a software developer (or programmer) who believes themselves to be excellent at their craft, while an independent review of their developed code will demonstrate that the person has no business touching a computer.
      2. (n) A singer (diva) who gets married in Vegas (elopes).

    2. Re:Not as surprising as it should be by Anonymous Coward · · Score: 3, Insightful

      Well that depends. Some orgs the developers show up build the system then it is up to operations to keep it going. Or contract it out. Or some 3rd party 'handles it'. Some are afraid to change anything. Others have stacks of legal hurdles to jump thru. Others have SLA's they have to keep up with...

      A developer who saw it would say 'yeah just fix and reboot'. But the IT org would say uh we have about 2 mins downtime per year it will happen in six months.

    3. Re:Not as surprising as it should be by morcego · · Score: 3, Insightful

      Besides the obvious "stupid divaloper" joke, and I will refrain from making, I agree the problem is much bigger.

      It is what I call the "Windows Mentality". "So simple anyone can do it" is another way of stating it.

      Companies (Microsoft is a leader on this) sell their software as something extremely simple, that anyone can install, run and maintain. And, for someone who doesn't understand it (a good number of managers, CEOs and director), it actually looks that simple. Well, guess again ? It is not. I'm sorry, but your 17 years old intern (hourly rate = 1 candle bar) can't install and maintain a good server. You need to have someone who actually knows what he is doing, has the experience and the knowledge to do it well. Oh ? Too expensive, is it ? Really ? I suppose you take your Porche to be serviced buy that tatooed guy at the gas station too ?

      Nope, sorry. There are no simple server. Windows, Linux (LAMP or otherwise). They all require skilled admins, skilled coders and skilled designers. And those cost money. They require regular and constant maintenance. In other words: money.

      That is the real problem. Most companies are just cheap.

      --
      morcego
  2. Re:Self test? by Mysteray · · Score: 5, Informative

    I like Qualys' SSL Labs

  3. Re:Self test? by caljorden · · Score: 4, Informative

    I spent a few minutes looking for the same thing, and found that Firefox includes a check. If you visit an HTTPS site that is not secure, you will get a message in the Error Console under Messages saying something like this:

    site.example.com : server does not support RFC 5746, see CVE-2009-3555

    For more information, see https://wiki.mozilla.org/Security:Renegotiation

  4. Windows Server MS10-049 & KB980436 by Anonymous Coward · · Score: 4, Informative

    After reading this article I ran a quick audit on all of our server farms and noticed that KB980436 was dutifully installed Sept 2010...however, upon closer scrutiny I noticed that this Security Patch from Microsoft doesn't prevent this vulnerability by default (but rather keeps it in "Compatibility Mode" by default). Windows SysAdmins need to take care to read MS10-049 and add the appropriate RegKeys to enforce "Strict Mode" to keep their servers from being vulnerable to this exploit. FYI, downloading and installing KB980436 is not enough.

  5. Re:Unexploitable vuln? by Calos · · Score: 3, Interesting

    Interesting question. I guess you could argue that a theoretical shortcoming isn't a vulnerability if there's no practical exploit.

    But that ignores the temporal part of it. It is only not a vulnerability, because it's not practically exploitable right now. Things change, technology changes, new avenues for attacking the shortcoming open up.

    It's like the recent proven exploit we saw a few days ago on a quantum message transfer. The method had been theorized, but never been shown. Now that it's been shown, it can be taken more seriously.

    --
    I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
  6. Re:A warning against banner-grabbing vuln scans by dgatwood · · Score: 3, Interesting

    According to the page in question, the test methodology is:

    1. Connect with RFC 5746. Upon success, mark as "Good".

    2. If the connection fails, the site is not patched. Send a request "HEAD / HTTP/1.1" without using RFC 5746, and save the response for later comparison.

    3. Run the actual test. This basically does the following:

    • Connect.
    • Send part of the request.
    • Renegotiate.
    • Send the rest of the request
    • Check to see if the status code matches the status code from step 2.

    If a site has been updated with a partial hotfix, it should either disconnect or sent an HTTP status code in the 400s. These sites are flagged as "Uncertain" because the server might initiate a renegotiation. If the site sends data after the second handshake and the response code is the same as the response code from step #2, it is marked as BAD.

    Discuss.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.