Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

11 reasons why Android is winning

You know the smartphone has supplanted every other consumer technology when all anyone really wants in a car now is a “smartphone on wheels.” In a world where most smartphone users have Android-based models, Google is aiming to reach the next billion users coming online — with Android as the nexus of activity. Whether it’s as a Google Home oracle/assistant, Android Auto smart car integration, TensorFlow machine learning or DayDream virtual reality, the Internet search behemoth now aims to become the search engine for your life. Add to that a serious focus on developer tooling and solutions such as Firebase and Android Studio 2.3, and it’s clear that Google is ramping its current ubiquity up to a whole new level. Here are 11 reasons why Android isn’t just for phones anymore. Read more

Qt Creator 4.3 Beta released

Qt Quick Designer now integrates a QML code editor. This allows you to use views like the Properties editor and the Navigator also for text based editing. When you use the split view, you directly see the effects of what you are doing. The graphical editor got support for adding items and tab bar to stacked containers like StackedLayout and SwipeView, a tool bar with common actions, and support for HiDPI displays. Read more Also: Qt Creator 4.3 Beta Rolls Out QML Code Editor & CMake Server-Mode

today's leftovers

  • Red Hat - Another Quarter And A Totally New Set Of Investor Perceptions
  • BIG open-source love Microsoft and Google? You still won't catch AWS [Ed: Microsoft does not love FOSS (or loved by it); it actively attacks FOSS.]
    Open source wasn’t supposed to matter in the cloud. After the Free Software Foundation’s failed attempt to rein in network-delivered software services, some wrung their hands and waited for the open source apocalypse. Instead of imploding, however, open source adoption has exploded, with ever more permissive licenses rising to largely eliminate the need to contribute anything back.
  • Open Source Data:The Last Frontier of the Fintech Revolution
    In the early days of computing, programmers and software developers shared their creations learned from each other and therefore advanced computing and software engineering to new heights.
  • The cheap arm project: An affordable, open-source robotics project
    What do you get when you put together wood and rope? Well according to Plymouth University’s Professor Guido Bugmann: a low-cost, open source, 2 meter tall robot! All buildable for under £2000. The Cheap Arm Project (CHAP) began as an MSc project aimed at developing an affordable mobile robot arm system that could be used by wheelchair users to access daily objects at inaccessible heights or weights (the extreme case being 2 litre bottle).
  • European Interoperability Framework: Commission presents new guidance for digital public services
    The announcement will be made today, at the Digital Day in Rome, together with other initiatives that aim to promote cooperation between EU Member States to better prepare society to reap the full potential of the digital transformation. Many EU Member States are digitising their public administrations to save time, reduce costs, increase transparency, and improve the quality of services that they offer to citizens and businesses. Doing this in a coordinated way ensures that the public sector is not only digital but also interoperable. The EU framework published today will help Member States to follow a common approach when making their public services available online, also across countries and policy areas. This will contribute to reducing bureaucracy for people and businesses, for example, when requesting certificates, enrolling to services, or handing in tax declarations.
  • Carbon Black warns of over reliance on 'nascent' machine learning security

    Security professionals cited high false positive rates and the ease with which machine learning-based technologies can be bypassed – at present – as the most serious barriers to adoption.

Linux Devices