Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Quadcopter drone packs first all-Linux APM autopilot

Erle Robotics launched a ROS-enabled, open source “Erle-brain” autopilot that runs APM directly on Linux. The device also powers an “Erle-copter” drone. Over the last year, Spanish firm Erle Robotics S.L. has been working with 3DRobotics to develop an open source BeaglePilot autopilot for drones that can run Linux on 3DR’s popular, Arduino-based APM (ArduPilot Mega) platform. The APM Linux port was developed by both companies, as well as several academic institutions. The BeagleBone-based “Erle-brain” autopilot is built into the $490-and-up Erle-copter quadcopter. Read more

Seven Tips To Get The Most From Your New Android Smartphone

With applications able to run in the background and sync as they see fit, Android can rapidly eat through your cellular data allowance if you are not careful. While it’s fine to let the data run free on wi-fi, you’ll want to restrict your data usage when out and about. Short of switching off mobile data (which defeats the purpose of a smartphone), look under the options in the Data Usage part of the settings. Here you’ll find my wallet’s favourite Android setting of ‘restrict background data’. Now when using cellular data, apps will only pull down data when they are in the foreground and you can see them doing so. If a smartphone is all about being in control, this is the option that gives you confidence. Read more

today's leftovers

Hands-on with PCLinuxOS: A terrific release

I had been thinking that a new PCLinuxOS release was due any time now, based on their quarterly release schedule. Sure enough, it has now arrived, just in time for Christmas - PCLinuxOS 2014.12. Read more Also: Santa Claus has Linux in his sack -- PCLinuxOS 2014.12 is here PCLinuxOS 2014.12 released