SSL Holes Found In Critical Non-Browser Software

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

This again?

News Flash: People bypass inconvenient security features. Security reduced as a result.

How does this at all lead to a "death knell" for SSL?

Death knell? Really?

[JDG1980]

The death knell for SSL is getting louder

What does this mean? Just that vendors should be using the newer versions of SSL that were rebranded TLS? Or is there another, competing technology that is recommended instead?

Re:Death knell? Really?

It means that both Gunkerty Jeb and Timothy didn't read TFA and are both fucking stupid.

Summary: libraries allow you to selectively ignore part or all of the certificate chain verification, including OpenSSL, which is exactly what your fucking browser asks you to do when you visit a site with a self-signed or expired cert. TFA argues that this is the wrong behavior. TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.

TFA also doesn't understand what the layers of security are around Amazon's EC2 toolkit, either.

Re:Death knell? Really?

It means that this "post" is really clickbait. And now we know why no one RTFA.

Re:Death knell? Really?

[wmbetts]

Yes, it is and it's bs that libcurl got caught in the middle. By default libcurl is secure.

Re:Death knell? Really?

TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.

Your session is not going to be very opaque if there's a man in the middle listening in.

Re:Death knell? Really?

[dkf]

TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.

That allows you to have a wonderfully secure conversation with whoever is snooping. Great step forward there!

It's important that clients verify the identity of the servers to which they connect, but they can do so in many ways. Public HTTPS does it in a particular pattern, but a self-signed certificate also works (provided you've distributed the server's public key to clients in a trusted way first). The problem with self-signed on the public HTTPS web is that there's too many sites for it to be at all practical for you to acquire all their self-signed public certificates before connecting to any of them; that advantage (of the CA system) ceases to be very relevant on a closed system such as an intranet, though larger intranets can go for things like a private CA.

Expired certificates or non-matching host certificates are a demonstration of poor deployment.

Protocol

[Synerg1y]

How is the wrong implementation of a protocol in a framework library a fault of the protocol?

Either devs need to be aware that there's extra steps in validating using an SSL library in their framework of choice, or the framework needs to be patched appropriately, but based on the concepts the article's provided, sounds like bad implementation aka crap code, and not enough QC. Some OOP would help make the implementation easier though...

This is not an SSL problem

[gweihir]

This is a problem of bad APIs and people not competent to select libraries with better ones. The same would happen with any other encryption protocol. Implementing and using cryptography is hard, in particular because testing will usually not show anything is wrong and testing is still the only thing most software "developers" have in their bag of tools to ensure correctness. As long as people without a clue decide they can implement cryptographic libraries or use them, these things will continue to happen.

Re:This is not an SSL problem

[Dast]

This is a problem of bad APIs and people not competent to select libraries with better ones.

While that might sound true, I think the problem is deeper than that. The issue in a lot of cases is developers having to deal with non-ideal SSL/TLS setups that they have no control over.

It usually goes like this:

Dev monkey gets told by PHB, we need to make our communications secure, so implement SSL. Dev monkey adds SSL support to the app. Code seems to work. Testing (or even worse, someone in Production) comes back and says: dev monkey's SSL code doesn't work with our Customer XYZ's server. Dev monkey tests things himself and finds that Customer XYZ is using a self signed cert or an expired cert. Dev monkey tells PHB that Customer XYZ needs to fix their setup. PHB tells dev monkey that the setup cannot be changed because of ABC and that dev monkey needs to "code around the issue". Dev monkey updates app to not choke on bad certs. Code gets released, and Customer XYZ's remote worker gets p0wned by a man in the middle attack. Customer XYZ blames PHB, PHB blames dev monkey. Dev monkey sighs and gets another mountain dew.

Re:Man in the middle?

[Bill,+Shooter+of+Bul]

As long as you are using a legit SSL cert ( avalible for less than $10 anually) with decent cipher strength ( again, avalible for less than $10 anually), man in the middle should be impossible with TLS/SSL and the proper use of it by the client ( don't connect and send sensitive data, if the ssl cert isn't valid or the signer isn't trusted).

libcurl is not insecure

[wmbetts]

The compliant about libcurl is baseless. It's said VERY CLEAR in the documentation how to use the feature. If stupid devs can't figure it out that's hardly the fault of a library developer. I've never had an issue with it and I've used it in C, C++, and PHP.

To repeat what I said on the mailing list. If I break my thumb with a hammer do blame the hammer or do I blame myself?

As Yehezkel Horowitz pointed out on the mailing list.

This is the quote from the FAQ
>Q: How do I use cURL securely?
>A: CURLOPT_SSL_VERIFYPEER must be set to TRUE, CURLOPT_SSL_VERIFYHOST must be left to its default value or set to 2. Anything >else, such as setting CURLOPT_SSL_VERIFYHOST to TRUE, will result in the SSL connection being insecure against a man-in-the-middle attacker.

The real answer should be - cURL defaults are secure - no need for any code to use it securely.
==================
In general I think the very short answer for this publication should be RTFM.

The little bit longer answer would be -
1. cURL is a C code library - you can't set a value to TRUE since this is not in the language syntax.
So you has somewhere in your includes something like "#define TRUE 1" - you must be aware to this issue - this is an important part of the relations between computers/compilers/programmers.

2. Before setting any option to cURL - you should read the very clear documentation about this option.
==================
As to what we can do to make cURL even better (in order to protect unprofessional users that don't know what they are doing), We could make '1' to act as '2' (verify peer identity), and add a special magic value (i.e. 27934) that will act as todays '1' (check for CN existence but don't verify it).

I think they owe everyone at libcurl an apology.

Re:libcurl is not insecure

This is the quote from the FAQ
>Q: How do I use cURL securely?
>A: CURLOPT_SSL_VERIFYPEER must be set to TRUE, CURLOPT_SSL_VERIFYHOST must be left to its default value or set to 2. Anything >else, such as setting CURLOPT_SSL_VERIFYHOST to TRUE, will result in the SSL connection being insecure against a man-in-the-middle attacker.

1. cURL is a C code library - you can't set a value to TRUE since this is not in the language syntax.
So you has somewhere in your includes something like "#define TRUE 1" - you must be aware to this issue - this is an important part of the relations between computers/compilers/programmers.

It is good that the default is secure, but this is bad API design. There are at least two ways it can be improved:

1) The name "CURLOPT_SSL_VERIFYHOST" implies a boolean value, so "set(CURLOPT_SSL_VERIFYHOST, TRUE)" looks like reasonable code after a quick glance. Since the option is a multiple choice option, not a boolean, it should be named something like "CURLOPT_SSL_VERIFYHOST_MODE".

2) C has had enums since forever. The values "1" and "2" are opaque magic numbers, and flags that are this important should be set with well-named enums, not with magic numbers. Further, if the API setter function was typed with the appropriate enums, the compiler would have complained when it saw "set(CURLOPT_SSL_VERIFYHOST, TRUE)".

Yes, the application devs used libcurl incorrectly, and yes, the above criticisms are nitpicks, but a library this important should be designed very defensively to minimize the change that users will make dumb mistakes.

Re:Man in the middle?

[pthisis]

You're better off running your own CA and distributing that CA's public key to your internal apps. Then you can ignore outside CAs but still avoid MITM attacks.

Re:Man in the middle?

[dgatwood]

The current versions of SSL/TLS are never vulnerable to man-in-the-middle attacks unless a trusted certificate authority is compromised (as long as both client and server implement RFC 5746). Whether the certificate authorities are trustworthy is another question, of course.

This particular problem is caused by folks disabling the SSL stack's built-in chain validation and then not implementing their own. As far as I know, there are exactly two correct ways to support self-signed keys in Android: provide your own trust store that includes trust for that specific self-signed key or subclass the X509 validation class to add that specific self-signed key as an additional trusted anchor into the list of trusted anchors that it returns. Unfortunately, there's a lot of very bad advice out there, particularly on sites like Stack Overflow, telling folks to disable chain validation entirely. The result is that not only does the app trust that self-signed key, it also trusts any self-signed key.

It doesn't help that there's no canonical source for that information from Google, so there are many, many questions on sites like Stack Overflow that all ask the same basic question in different ways and get different answers....

Patient: Doctor, when I drill a hole in my hand, I can't scoop up water from the bucket to drink.
Doctor: Why did you drill a hole in your hand?
Patient: So that the acid wouldn't stay in my hand.
Doctor (alarmed): Why did you put acid in your hand?
Patient: Because the bucket dealer wanted too much money for a bucket.

Yeah, it's like that.

Re:Man in the middle?

[Artraze]

There's not really any such thing as a "legit" certificate; you're referring to a signed one. This does nothing to protect against a man-in-the-middle attack. What it does do is establish a chain of trust linking your certificate back to an authority. If that authority is trusted then your cert can be too (to the extent you trust the authority). If, and that's a big if, we trust that _all_ trusted authorities will thoroughly vet the certificates they sign then we can _trust_ that a MITM attack cannot occur, but realistically "legit" certificates do nothing more than that. If, say, the US DoD (once/often? a trusted authority) decides to MITM you, they can just sign a cert and MITM you.

The only way to actually prevent MITM is to exchange the certificate (or some verification mechanism like a hash) in some sort of trusted manner (e.g. distributing it's hash with a client app).