Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Today in Techrights

today's leftovers

Leftovers: Gaming

  • Company of Heroes 2 Might Be Coming Out For Linux
    While last year developers on the Company of Heroes 2 game said a Linux port was unlikely, recent Steam activity indicates that a Linux port is likely in the works. Company of Heroes 2 is a World War II set real-time strategy game developed by Relic Entertainment and sequel to the original Company of Heroes game. The Company of Heroes 2 title is powered by the Essence 3.0 Game Engine, which is proprietary to Relic Entertainment, uses a DirectX renderer, and designed around Windows. Company of Heroes 2 was released last summer for Microsoft Windows and is available on Steam.
  • Metro 2033 Redux Will Hopefully Hit Linux Real Soon
  • Sid Meier's Civilization: Beyond Earth for Linux No Longer Has a Release Date
    Sid Meier's Civilization: Beyond Earth, the next game in the Civilization series developed by Firaxis, no longer has a Linux launch date. When 2K Games and Firaxis announced that the upcoming Sid Meier's Civilization: Beyond Earth launch will also include a Linux version, gamers were ecstatic. This was supposed to be the silver bullet for the Linux platform, but it looks like we're going to be skipped.
  • Civilization: Beyond Earth for Mac has been postponed indefinitely
  • SteamOS Beta 133 Released
    Besides the normal security fixes, this release features a newer Linux kernel (no specifics) that boasts more network drivers and better Intel graphics performance. On top of that this release also features the Nvidia 340.32 drivers which fixes some of the white screen bugs when switching between modes.
  • SteamOS Update 133 Has Better Intel Performance, VA-API
    Valve released this morning the 133 update to the SteamOS Alchemist Beta. With this update comes new packages and other updates.
  • Crystal Picnic, A Colourful 2D RPG Released
    Crystal Picnic is a lighthearted and colourful tribute to the classic era of action RPGs! Join a sarcastic gardener and a wannabe knight as they journey across the kingdom chasing after ants who stole magic crystals from the castle. Oh, and did we mention the ants have gone mad because they're EATING those crystals? Yeah, that makes things much more unpredictable! Hours of exploration, mesmerizing platform-style combat, plenty of new friends to meet and loads of wacky enemies to encounter. When you fight chubby birds and ants carrying bazookas, you know you're in for a good time!
  • Metro 2033 Redux Shows Up in the Steam for Linux Database
    Metro 2033 Redux, a remake of the original Metro 2033 FPS released back in 2010, will be getting a Linux release on Steam for Linux. The developers from 4A Games have reworked the original title and they have introduced high resolution textures and new effects. In addition to that, they have reworked a number of gameplay aspects too. All of these have been done to get the game ready for Xbox One and PlayStation 4. They didn't ignored the PC, and Steam users will also be able to enjoy the game in a new coat.
  • Team Fortress 2 Receives Update with Important Balancing Changes

Linux on the desktop isn't dead

At LinuxCon this year, the creator of Linux, Linus Torvalds, was asked what he wanted for Linux. His response? "The desktop." For years, the call to Linux action was "World Domination." In certain markets, this has happened (think Linux helping to power Android and Chrome OS). On the desktop, however, Linux still has a long, long way to go. Wait... that came out wrong. I don't mean "Linux has a long, long way to go before it's ready for the desktop." What I meant to say is something more akin to "Linux is, in fact, desktop ready... it just hasn't found an inroad to the average consumer desktop." Read more