Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

Posted by timothy on from the disclosure-of-diclosure dept.

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

51 of 217 comments (clear)

  1. Key phrase of vulnerability : by Anonymous Coward · · Score: 2, Informative

    "but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought"

    1. Re:Key phrase of vulnerability : by ColdWetDog · · Score: 5, Insightful

      "but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought"

      As will always be. Any attempt at security by involving the end user is a recipe for failure.

      We're doomed.

      --
      Faster! Faster! Faster would be better!
    2. Re: Key phrase of vulnerability : by Anonymous Coward · · Score: 2, Interesting

      No, we just need software that isn't a pile of accreted crap.

      Cue LibreSSL. Not a moment too soon. Those guys should be paid to do ALL critical security software, because when they do something, they do it RIGHT.

    3. Re: Key phrase of vulnerability : by AndroSyn · · Score: 3, Insightful

      How does LibreSSL fix users who do stupid things? This I'd like to know...

    4. Re: Key phrase of vulnerability : by Anonymous Coward · · Score: 5, Funny

      LibreSSL does not yet have any users.

    5. Re: Key phrase of vulnerability : by aix+tom · · Score: 5, Funny

      So it is 100% save!! Yay!! ;-)

  2. Neat by Anrego · · Score: 4, Insightful

    But if you have a man in the middle position, most of those same users would have just clicked "ignore" or typed yes to the "connect anyway" prompt.

    1. Re:Neat by bluefoxlucid · · Score: 3, Informative

      The summary is actually ridiculous.

      The summary suggests SSL is useful without a man-in-the-middle. SSL protects against eaves droppers on your network; but any eaves dropper can become a MITM. ARP cache poisoning is a common technique; on switched networks, you cannot eaves drop without ARP cache poisoning or ARP flooding. Hubbed networks are similarly easy: packet the target with IP=DEFAUTGATEWAY MAC=YOU and it will start addressing default gateway packets to you (routing works by putting the destination IP on a packet, but the default gateway's MAC on the frame; you enter the IP address of the router, and the OS runs an ARP request to find its MAC).

      It's entirely unlikely that SSL does anything if there isn't a man in the middle.

      --
      Support my political activism on Patreon.
    2. Re:Neat by bluefoxlucid · · Score: 3, Insightful

      Speed limits are overly conservative, and it is entirely possible to drive fast and drive safely. Risk increases, but driver ability modifies the risk. Good brakes are even more important in such situations.

      I don't pay much attention to speed limits. The signs are posted miles apart and easy to miss; I drive with the flow of traffic, slowing down when there is additional risk. Additional risk includes traffic calming zones (whether zoned properly or not), e.g., residential areas with street parking and children, where risk is incredibly high--the proper way to drive these is slow, with your foot off the accelerator, prepared to brake. Other risks include commercial areas with lots of pedestrian traffic and street parking in general, where driving at-speed is fine; in these situations, you must search for hazards and prepare to steer or brake as needed to avoid them.

      Driving analogies always show how terrible we are at driving. People care so much about the folks driving 40mph in a 30mph zone, but they don't care about the people cruising mindlessly while staring straight ahead and taking no notice of kids playing by the street, people preparing to exit parked cars, or other cars about to turn in front of them without looking for cross traffic. These are people who will be utterly surprised and incapable of reacting when someone's kid pops out from behind a car, or when a driver exits his vehicle 10 feet in front of them.

      --
      Support my political activism on Patreon.
    3. Re:Neat by duke_cheetah2003 · · Score: 3, Insightful

      Society is asking you to follow the law, not to interpret or judge its validity.

      Sorry, wrong. Society is asking you drive safely and responsibly. Following the law helps, but not every time, not every circumstance.

    4. Re:Neat by LordLimecat · · Score: 2

      And yet everyone threw a hissy fit when Firefox first made it a massive PITA to use self-signed / untrusted certs.

      Honestly their implementation is pretty good; you can get through it, but blindly clicking will result in the cert being rejected.

  3. Re:MITM needs to be designed around by SuricouRaven · · Score: 2

    "Ultimately you still need to get the encryption information across securely"

    This is provably impossible with an active MITM attacker (Though a solution to passive listeners does exist and is in common use). If it could be done, we wouldn't be messing around with complicated certificate signing systems.

  4. Versions by Anonymous Coward · · Score: 3, Insightful

    Just to be clear, versions 1.01 and 1.02(beta) is the same as saying "Any OpenSSL version released since early 2012", right? It sounds like the summary is trying to downplay the threat a little bit.

    1. Re:Versions by GameboyRMH · · Score: 4, Informative

      That's right, it affects all versions that are anywhere close to current.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re: Versions by Anonymous Coward · · Score: 3, Informative

      There are also stable releases of 0.9.8 and 1.0.0 which are still maintained for security updates. Many long-term-stable distros and even some recent network appliances don't use 1.0.1 because of the possibility that code churn and feature dev has made it less secure than 1.0.0. In this case they would be right.

    3. Re:Versions by Anonymous Coward · · Score: 2, Interesting

      especially after everyone panic-upgraded after heartbleed.

    4. Re:Versions by Zero__Kelvin · · Score: 4, Insightful

      "especially after everyone panic-upgraded after heartbleed."

      You can leave out the "panic". Everyone upgraded. Appropriately. No need for the over-sensationalism.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re:Versions by DarwinSurvivor · · Score: 2

      FreeBSD 9.0 uses OpenSSL 0.9.8q by default (though 1.0.1 is optionally available in the ports tree), which according the summary should be safe (from this attack at least).

  5. This is awesome by nctritech · · Score: 4, Insightful

    The more of these we find, the more secure OpenSSL will be. I hope we continue to find these kinds of problems and see them fixed. If open source has one strength, it's that when many skilled eyes DO converge on the code it can be tested and fixed far more quickly than a corporation with limited resources and only paid developers can do the same sort of debugging work. The trick is getting the eyes there in the first place.

    1. Re:This is awesome by Bengie · · Score: 2

      OpenSSL design is fundamentally flawed. Bug fixes will probably introduce more bugs in many cases. I mean, OpenSSL will use your actual private key as a source of entropy. How messed up is that?

    2. Re:This is awesome by westlake · · Score: 2

      it can be tested and fixed far more quickly than a corporation with limited resources and only paid developers can do the same sort of debugging work.

      Open Source does not guarantee unlimited resources. Case in point: TrueCrypt.

      Paid developers can work full time on debugging and may have a much deeper understanding of the code and how it is used.

    3. Re:This is awesome by mean+pun · · Score: 3, Interesting

      I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.

    4. Re:This is awesome by Anonymous Coward · · Score: 5, Informative

      OpenSSL design is fundamentally flawed. Bug fixes will probably introduce more bugs in many cases.

      Well, the LibreSSL project is ripping out much of the code and rebuilding it: http://www.libressl.org/

      I mean, OpenSSL will use your actual private key as a source of entropy. How messed up is that?

      Ummm, your private key should be randomly generated, otherwise public key encryption doesn't work too well.

      But your private key doesn't change, so that isn't a good thing to do. Fixing the entropy is one of the many things LibreSSL is doing: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00016.html

    5. Re:This is awesome by iamgnat · · Score: 5, Insightful

      open source has one strength, it's that when many skilled eyes DO converge on the code it can be tested and fixed far more quickly

      Did you even read the summary? They believe that this flaw has existed since 1998. You have a very strange definition of "quickly" if 16 years falls into that category.

      I'm all for OSS, but people like you that continue to trot out this tripe aren't helping it. The benefit isn't that there all these mythical "skilled eyes" looking at the code, it's that you can look at the code.

    6. Re:This is awesome by evilviper · · Score: 4, Insightful

      If open source is so great, this flaw wouldn't have been around this long, would it?

      Closed source software is far worse, you just don't hear about it.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    7. Re:This is awesome by Dcnjoe60 · · Score: 5, Insightful

      I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.

      I agree 100%. The only reason this flaw is known is because the source code was available to review. Obviously, it would have been better if this were reviewed and caught sooner, but that ignores the fact that it was only caught because the source code was available. That seems to be a big plus.

      Also what is interesting is that even though the flaw has been there for 16 years, there are no known exploits of it. That would seem to dismiss the notion that open source security software is problematic because bad people can find exploits.

      Of course another explanation is that the flaw isn't any such thing and was intentional and because it was open source, certain government agencies will now lose the ability to exploit it.

      Regardless of how you look at it, it seems to be an advantage to open source.

    8. Re:This is awesome by js3 · · Score: 3, Insightful

      The more of these we find, the more secure OpenSSL will be. I hope we continue to find these kinds of problems and see them fixed. If open source has one strength, it's that when many skilled eyes DO converge on the code it can be tested and fixed far more quickly than a corporation with limited resources and only paid developers can do the same sort of debugging work. The trick is getting the eyes there in the first place.

      10 years ago someone said...

      "Opensource will eliminate all bugs, because the world can see the source". Doesn't matter if no one reads the source.

      --
      did you forget to take your meds?
    9. Re:This is awesome by nctritech · · Score: 5, Insightful

      If you've been following OpenSSL Heartbleed coverage, you know that the project has only had one full-time developer working on it. Since Heartbleed (a recent discovery, you'll recall) they've discovered more holes to close such as this one. I'd call less than two months since more eyes started staring at OpenSSL "quickly."

    10. Re:This is awesome by nctritech · · Score: 2

      The same problems that OSS has with code not being reviewed is present in closed-source models as well, such as the recent Apple security hole that managed to make it past review and stick around for quite a while. They pay developers to work on this stuff. The devs missed it. Software development is done by humans and humans commit mistakes. No source availability model can ever fully mitigate that.

    11. Re:This is awesome by Anonymous Coward · · Score: 2, Insightful

      There are STILL open issues in Windows 8.1 that have existed since Win2000, that are actively being exploited today with no fix in sight. Major flaws that have survived supposed "complete rewrites" even though the steps to exploit are the exact same. There is only a large amount of shrill denial and burying heads in the sand. At least that aspect doesn't exist in open source.

    12. Re:This is awesome by Bite+The+Pillow · · Score: 2

      This required knowing how SSL is supposed to work, not just being able to read code.

      It was found when someone decided to check whether implementations correctly checked the order of messages. This could have been found by testing against a binary, regardless of the code being available.

      Open source is a win here because I can fix it without waiting for a vendor patch. Not that I would, but I can. Code availability for finding the bug is nearly irrelevant.

      No known exploits means nothing. Exclusive zero days are expensive, and I would not share it with anyone if I bought it. Use it in extraordinary circumstances only, and it can be undetected for a while.

    13. Re:This is awesome by rabtech · · Score: 3, Insightful

      It's actually a false dichotomy...

      The vast majority of software is poorly written, hacked-together junk written by dicks and idiots.

      Open Source *can* be slightly less terrible, but it's all still terrible.

      --
      Natural != (nontoxic || beneficial)
    14. Re:This is awesome by g1zmo · · Score: 4, Funny

      Literally no one has ever said that.

      --
      I have found there are just two ways to go.
      It all comes down to livin' fast or dyin' slow.       -REK, Jr.
    15. Re:This is awesome by Desler · · Score: 3, Insightful

      Neither this bug or heartbleed were found by looking at the source code. They were found through binary analysis.

    16. Re:This is awesome by LordLimecat · · Score: 2

      . You can also do your own security audit on open source software if you are really security conscious.

      No, you cant, and if you think you can you have a serious ego problem.

      A security audit of something like OpenSSL is not something that should be attempted by someone who does not earn a living doing code and crypto audits.

    17. Re:This is awesome by TubeSteak · · Score: 2

      Open source is a win here because I can fix it without waiting for a vendor patch. Not that I would, but I can.

      And why wouldn't you?
      Probably because you're waiting for some other guy (the vendor) to do compatibility and regression testing.

      --
      [Fuck Beta]
      o0t!
    18. Re:This is awesome by pipatron · · Score: 2

      Is it messed up to add sensitive information to an entropy pool? From choice of wording it seems everyone should immediately and without reservation know better this is a stupid thing to do.

      Question is this actually a valid position or more knee jerk based on unfounded fear, ignorance of operation of an entropy pool?

      When functioning properly you shouldn't be able to extract anything except entropy from pool.

      Emphasis mine. Putting it in the pool is yet another attack vector, and a great way to increase the chance of something going wrong down the line. Either by mistake or by a planned malicious code change in parts of the code that doesn't seem to have anything to do with the private key.

      --
      c++; /* this makes c bigger but returns the old value */
    19. Re:This is awesome by nctritech · · Score: 2

      http://news.softpedia.com/news...

      Feel free to look up a CVE for it yourself. This is just one example. Other long-standing MS security holes include the infamous WMF bug. Plenty of such things exist in the wild.

  6. How are people affected in their day to day lives? by tlhIngan · · Score: 3, Insightful

    This is a flaw, but it requires both ends use vulnerable OpenSSL versions. Which means your day-to-day life may or may not be affected that much.

    I mean, if you use iOS, OS X, or Windows, you're more than likely NOT using OpenSSL on the client side (except say, if you use Firefox on Windows) - since Apple and Microsoft have their own SSL implementations. If you have an Android phone or tablet, then yes, it's quite likely an issue, and while both are popular, people generally don't use them that much for data (iOS traffic, after 7 years, has finally dropped to below 50% of all mobile traffic out there, despite Android outselling iOS by a huge margin). And nevermind the oddball Linux user.

    So the real question is, how many people really ARE affected?

    Heartbleed affects everyone because it exposes server secrets irrespective of the client side. But this vulnerability is only really present if both ends use OpenSSL.

  7. Closed source software by 93+Escort+Wagon · · Score: 2

    Given all the open-source SSL/TLS security flaws (OpenSSL, gnutls, Apple SSL) that have come out these past few months - mostly thanks to renewed interest in hunting flaws, thanks to the Snowden revelations, I suspect - I hope that companies like Microsoft are also seeing this as a wake-up call driving them to do code reviews on their closed-source SSL/TLS code.

    --
    #DeleteChrome
    1. Re:Closed source software by 93+Escort+Wagon · · Score: 2

      Not quite sure what you mean there. Closed source gets more code review than opensource apparently.

      Speaking as someone who, in a past job, reported a number of brain-dead flaws in their products to Microsoft - I'm curious what experience has led you to draw that conclusion.

      --
      #DeleteChrome
    2. Re:Closed source software by swillden · · Score: 2

      Closed source gets more code review than opensource apparently.

      Clearly you've never worked in the software industry.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Closed source software by 93+Escort+Wagon · · Score: 2

      Most of the bugs I reported to Microsoft were flaws in their Fortran and MASM (assembly language) offerings, back in olden days of yore (otherwise known as the 1990s).

      With the added complexity of modern Microsoft dev tools, though, I'm sure bugs never make it into production nowadays.

      --
      #DeleteChrome
    4. Re:Closed source software by Bite+The+Pillow · · Score: 2

      Samba reverse engineered smb with a clean room effort, but I'm sure they didn't get it right the first time. The effect was fuzzing the windows service as they developed.

      Similar efforts have been done on lots of proprietary binaries, and plain old assembly level disassembly has also been done.

      I'm not saying everything has been tested. But "you can't know" is clearly wrong. If you want to know, you can. Just like if you wanted to know openssl is secure, you can. You had 16 years to read source code and you didn't find this bug. If there are flaws in proprietary software, it is because someone didn't look. Not because they didn't know.

      How do black hats find vulnerabilities if they "can't know"?

  8. Re:How are people affected in their day to day liv by Anonymous Coward · · Score: 2, Informative

    I mean, if you use iOS, OS X, or Windows, you're more than likely NOT using OpenSSL on the client side (except say, if you use Firefox on Windows)

    Ummm, firefox uses NSS, not OpenSSL: http://en.wikipedia.org/wiki/Network_Security_Services

  9. Re:How are people affected in their day to day liv by Argilo · · Score: 2

    Firefox uses NSS, not OpenSSL.

  10. Re:How are people affected in their day to day liv by Blue+Stone · · Score: 2

    you're more than likely NOT using OpenSSL on the client side (except say, if you use Firefox on Windows)

    That's quite the parabolic sentence there. I hope you didn't give yourself whiplash.

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  11. Advisory is a bit unclear by dpapenthien · · Score: 2

    After reading the advisory from OpenSSL, I'm still confused by what is vulnerable and what isn't. The flaw requires both the client and server to be vulnerable. If the client is using OpenSSL, they're vulnerable for 0.9.8/1.0.0/1.0.1. But if the server is using OpenSSL, they're only vulnerable if using 1.0.1/1.0.2(beta). Yet the bullet list of recommendations points out that servers should upgrade even if they're using 0.9.8: * OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. Let's say I have a server using 0.9.8 and client using 1.0.0. If I understand their explanation correctly, then this scenario is *not* vulnerable. Is that the same conclusion others would draw from their explanation?

  12. Re:LibreSSL by melstav · · Score: 2

    Yes. If you're using libressl and the snapshot of the source you compiled is older than Thu Jun 5 15:46:24 2014 UTC, you're affected by this, too. See: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/s3_clnt.c

  13. Re:MITM needs to be designed around by sexconker · · Score: 3, Informative

    "Ultimately you still need to get the encryption information across securely"

    This is provably impossible with an active MITM attacker (Though a solution to passive listeners does exist and is in common use). If it could be done, we wouldn't be messing around with complicated certificate signing systems.

    Correct. A MITM beats everything done over the wire. You need to secure your shit before you use the wire. You need a pre-shared key to encrypt the initial communication. A certificate sort of does this, but not really because we still trust them blindly and we initially accept them over the same wire. The proper way to do shit would be for you to go to your bank in person, for example, and generate 2 keys - one for you to use to talk to your bank and one for the bank to use to talk to you. You then use that key when establishing your first communication with the bank, and they use theirs. You can use whatever encryption you want, you can deploy a key-changing scheme, or a certificate scheme like we have now, whatever.

    Your initial key exchange must be done securely. Doing it in person is the most secure way possible, but it's also the least convenient. Doing it over the wire is NEVER secure against a MITM.

  14. Re:MITM needs to be designed around by someSnarkyBastard · · Score: 2

    Diffie-Hellman Key Exchange allows you to securely share a secret key over an insecure medium. Combining this with asymmetric cryptography to identify parties is how modern handshake protocols work.

    The problem here how to trust Bob's asymmetric key really came from Bob and not Eve.

    You are correct in that the ideal solution would be to talk to Bob over a different medium (like phone) and ask him if that is his key but there are ways to do this over the wire. As an example, several Linux distros sign their LiveCD images with cryptographic keys and post the keys' fingerprints on their web page. Can these be spoofed? Sure, hack the server hosting the files. That requires additional effort (and risk) though which would dissuade most cyber-criminals from attempting it.

    Is this perfect security? No, but there is no such thing short of chucking whatever you want secured into a black hole.