Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Break Browser SSL/TLS Encryption

Posted by Unknown on from the only-thoughtcriminals-use-encryption dept.

First time accepted submitter CaVp writes with an article in The Register about an exploit that appears to affect all browsers and can decrypt an active TLS session. From the article: "Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser." A full disclosure is scheduled for Friday September 23rd at the Ekoparty conference. Note that this only affects SSL 2.0 and TLS 1.0; unfortunately, most web servers are misconfigured to still accept SSL 2.0, and TLS 1.1 and 1.2 have seen limited deployment. The practicality of the attack remains to be determined (for one, it isn't very fast — but if the intent is just to decrypt the data for later use, that isn't an impediment).

24 of 110 comments (clear)

  1. Javascript by Hatta · · Score: 3, Informative

    From the looks of it, they use javascript on the target computer to capture some plain text which helps them break the keys. So as a temporary measure, disable javascript until browser makers catch up.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Javascript by MightyMartian · · Score: 3, Informative

      Yeah, and see how many websites built in the last eight or nine years work without Javascript... Hell, for real security, go back to using Gopher!

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Javascript by Hatta · · Score: 4, Insightful

      For one, /. works a lot better with javascript disabled.

      --
      Give me Classic Slashdot or give me death!
    3. Re:Javascript by chrb · · Score: 5, Informative

      They can. Not only is Javascript injection possible, it has already been done by at least one malicious government: "Malicious code injected into Tunisian versions of Facebook, Gmail, and Yahoo! stole login credentials of users critical of the North African nation's authoritarian government, according to security experts and news reports."

    4. Re:Javascript by vlm · · Score: 3, Insightful

      Yeah, and see how many websites built in the last eight or nine years work without Javascript... Hell, for real security, go back to using Gopher!

      A good first order approximation is any website that is even vaguely attempting to be ADA compliant probably works fine without javascript.

      Run with "noscript" for awhile, maybe a couple years, and you'll come to agree.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:Javascript by framed · · Score: 2

      MiTM doesn't work against https unless the users are accepting bad certs already. If the page you're looking at was sent over https, its not alterable to include malicious javascript en-route. Someone on the network doesn't have your key, and so they can't spoof a request to take advantage of persistent https connections. XSS is dependent on your users looking at each others data and you not filtering it well. So unless your server or client are already owned (at which point this doesn't matter), or your users are randomly accepting bad certs (at which point it still doesn't matter), the only vector is a pre-existing unpatched XSS vulnerability on one of the servers https pages. (right?)

    6. Re:Javascript by Reece400 · · Score: 2

      A lot of banks use services such as Advanced web analytics, which include bits of javascript from advanced-web-analytics.com inside their secure pages. I'm not sure how secure their servers are, but I for one have blocked their server on our proxy.

    7. Re:Javascript by increment1 · · Score: 3, Insightful

      I think the idea is to inject the Javascript before the connection goes SSL. So maybe something like:

      1. You go visit www.gmail.com
      2. They intercept and return an http version of the page to you with the javascript injected
      3. The Javascript opens up an https connection with gmail.com, establishing the IV over a persistent connection.
      4. The Javascript redirects to the https page, so you don't notice the lack of https.
      5. You log in to the https page as normal, using the browsers already established https connection which they can apparently decrypt.

      If not for step 4, this attack would be little different than just intercepting and returning a non-https page and hoping that you didn't notice the difference. Depending on how long your browser keeps a persistent https connection open, I wonder if it is possible to have the javascript on an independent page, making the https requests to the target site to establish the connection before you even go to the target site.

    8. Re:Javascript by dissy · · Score: 4, Insightful

      Yeah, and see how many websites built in the last eight or nine years work without Javascript... Hell, for real security, go back to using Gopher!

      As a happy noscript user I was about to reply similarly to VLM below...

      But instead it prompted me to check how many entries are in my noscript whitelist after using the same firefox profile for a bit over 3 years, and there are only 275 entries, of which 80 are various internal IPs for work related webapps and testing/development (Which I really need to clean out)

      I don't think it's too bad of a sign that in 3 years only 200 websites I've visited were 'broken' without javascript! I was actually expecting a much higher number.

      Even with that 200, or lets include the internal webapp sites at work and say 300, with the number of websites I've visited over the past three years it has to be in the high four digits. That is a pretty awesome ratio!

      Most websites really do not break enough to matter when rolling without javascript. Even in mitigating this type of attack, I would rather white list the few sites that need it than leave javascript blanket open to every website out there.

      Of course this solution isn't 100% perfect (It's "only" mostly perfect), so it will no doubt get poopoo'ed here on slashdot for not being over 100% perfect in every way

    9. Re:Javascript by MachDelta · · Score: 4, Funny

      No way man, this place is so much better with ja

      Working...

      v

      Working...

      ascr

      Working...

      ip

      Working...

      *Ctrl+W*

      Working...

      *Ctrl+WWWWWWWW*

      Working...

      *Alt+F4*

    10. Re:Javascript by grim4593 · · Score: 2

      Usually I just temporarily allow sites so they don't end up in my white list. Many sites are broken without JS.

  2. Not very fast? by chrb · · Score: 5, Interesting

    The attack can apparently be completed in about 5 minutes. That is plenty of time for attacking the average online banking session, never mind gmail and other sites that people log in to for hours at a time.

    The attack appears to use javascript to push known plaintext over HTTPS to the web site before the actual login request is sent, so that the login credentials are transferred as part of a persistent SSL connection which now has a known IV. If this is correct, then the attack could be avoided by disabling persistent HTTPS connections in the browser. There is a performance cost to this, but I think most people would prefer to feel secure, and wouldn't really notice the extra costs of opening and closing individual HTTPS sessions for each browser request. Proxies might break that though.

  3. Ah ha! by Howard+Beale · · Score: 4, Funny

    Now we know what that 30,000 node EC2 cluster was for...

  4. Webserver deployment flexibility by archen · · Score: 2

    unfortunately most web servers are misconfigured to still accept SSL 2.0, and TLS 1.1 and 1.2 have seen limited deployment.

    Uh, I'm pretty sure the web server is required to have enough flexibility for people to view the content. If the user demands security, that should to be negotiated by the client trying to use the most secure option possible. Saying a server is "misconfigured" might be nice for someone living in a bubble where everything is up to date and users have a clue, but in the real world servers don't have this option.

    1. Re:Webserver deployment flexibility by izomiac · · Score: 3, Insightful

      Fall back to regular HTTP then. There's no point in insecure HTTPS. Security is the "S" in these protocols and the sole reason for their existence. Someone who opts to use them has explicitly requested security, not compatibility, as most sites lack any form of SSL.

      For most bugs, you're right. Convenience trumps most other things in software. Security is not one of them. Your users are trusting you to keep them safe. An insecure browsing session will eventually (quickly?) lead to money being stolen or civil rights activists being killed, that's why anyone puts up with the inconvenience of security in the first place.

  5. Re:Should we disable TLS 1.0 in browsers? by chrb · · Score: 3, Informative

    The ramification is that you won't be able to use HTTPS on the vast majority of web sites. According to the Register, of 1 million web servers sampled: 604,242 supported TLS v1.0, 838 supported TLS v1.1, and 11 supported TLS v1.2.

  6. Re:Should we disable TLS 1.0 in browsers? by Necroman · · Score: 3, Informative

    Stolen from the thread on this on reddit:

    That's actually exactly how it's supposed to work. See Appendix E of the TLS 1.2 RFC. The client sends its highest-supported version in its first message, and the server replies with the highest-supported version that is less than or equal to the version the client sent.

    Unfortunately, some older (mostly third-party) servers break entirely if they receive something that they don't recognize. As such, TLS 1.1/1.2 is often disabled by default for compatibility reasons, even if it is supported.

    NSS (Mozilla/Firefox) and OpenSSL (used in Apache's mod_ssl) also only support up to TLS 1.0 in their stable versions, as there hasn't really been a compelling reason for them to add TLS 1.1/1.2 support until now.

    --
    Its not what it is, its something else.
  7. Re:Isn't SSL 3.0 affected as well? by yuhong · · Score: 2

    Yea, to the Slashdot editors:
     

    Note that this only affects SSL 3.0 and TLS 1.0

  8. Re:OpenVPN, Tor, others by GameboyRMH · · Score: 3, Insightful

    Not really. This attack makes the encryption easier to brute-force later on by first passing known data over it. It's like if an attacker could force a known file onto your encrypted disk and know its exact location on the disk, that would then make it easier to brute-force the key.

    So yeah it shows that there are some weaknesses in the algorithm, but if another party can inject known data into your SSH/Tor/OpenVPN session you have much bigger problems anyway.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  9. Re:Should we disable TLS 1.0 in browsers? by Calos · · Score: 2

    Sure they do: Options -> Under the Hood. There's a checkbox for SSL 3.0, and one for TLS 1.0. So, similar to what the poster above you said, it looks like they don't expose TLS 1.1/1.2 in releases yet.

    --
    I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
  10. ADA... by KingAlanI · · Score: 2

    Americans With Disabilities Act, not American Dental Association

    Reminds me of a web-design instructor in highschool who was real big on trying to make one's sites disabled-accessible. For instance, make the site decipherable and navigable by screen readers for the blind

    http://www.w3.org/TR/1999/WAI-WEBCONTENT-19990505/
    http://www.w3.org/WAI/

    That it's related to backwards compatibility has to do with vlm's point AFAIK.

    --
    I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
  11. Speculation on the attack by dachshund · · Score: 2

    Here's my description/speculation about how it works. Apologies for the blog whoring, I can't type it all up again:

    http://practicalcrypto.blogspot.com/2011/09/brief-diversion-beast-attack-on-tlsssl.html

  12. Re:Did anyone read the story? by neonsignal · · Score: 2

    It's "man-in-the-middle" because it requires a javascript injection. That might be possible through vulnerabilities in particular websites (eg embedded ads with javascript, or a crafted link, etc). It could also be injected by an ISP.

  13. SSH Tunneling by dendrope · · Score: 3, Informative

    If you have a computer at home running on a secured network, then SSH tunneling traffic while you're elsewhere should avert the problem.