Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

AMD and Linux

  • The Updated AMD Polaris Firmware Blobs Needed For RX 480 Support Land
    One day ahead of the Radeon RX 480 "Polaris" launch, the necessary firmware updates for the production graphics card support have landed in linux-firmware.git.
  • AMD RX 480 released, AMD will possibly open up Radeon Software
    The next generation of AMD GPU's have launched, and it begins with the AMD RX 480. Benchmarks are now out there along with plenty of info. I don't have the card myself as I have no contacts at AMD, but luckily Phoronix managed to bag a card and he's done plenty of testing as you can imagine. I will be referencing the green site due to other sites obviously focusing on Windows.

Leftovers: Gaming

Fedora: The Latest

  • Container technologies in Fedora: systemd-nspawn
    Welcome to the “Container technologies in Fedora” series! This is the first article in a series of articles that will explain how you can use the various container technologies available in Fedora. This first article will deal with systemd-nspawn.
  • Fedora 24 upgrade
    Fedora 24 was released last week, so of course I had to upgrade my machines. As has become the norm, there weren’t any serious issues, but I hit a few annoyances this time around. The first was due to packages in the RPMFusion repos not being signed. This isn’t Fedora’s fault, as RPMFusion is a completely separate project. And it was temporary: by the time I upgraded my laptop on Sunday night, the packages had all been signed.
  • Fedora Flock 2016
    I’ve been working on a shirt design for this year’s Fedora Flock in Krakow, Poland and figured that I’d share what I’ve put together! I’m also including some of my earlier attempts at the design as well to show my thought process as well. Ps. for those who may not be familiar with landmarks and iconic images of Krakow (and yes, I too am one of you too… much research was needed!) here’s a list of some of the imagery that I tied to incorporate in the designs.
  • A F24 user story
    Honestly, nothing from the features in the announcement of the Fedora 24 release didn't manage to excite me intro upgrading my desktop from an old, out-of-support Fedora. It's main task is to edit digital photography and for some years a Linux solution is decent at it.
  • PHP version 7.0 in Fedora 25
    FESCO have approved, for Fedora 25 the upgrade from PHP 5.6 to PHP 7.0.
  • How to install Nvidia Drivers in Fedora 24
  • Zodbot… upgraded
    We have upgraded our beloved evil super villain IRC bot on freenode from an old version of supybot-gribble to a new shiny version of limnoria ( https://github.com/ProgVal/Limnoria ). This doesn’t change much in the interface, but it does mean we are using something that is maintained and gets updates and is a good deal more secure. If you notice problems please do let us know with a Fedora Infrastructure ticket.
  • GSoC - Journey So Far ( Badges, Milestones and more..)
    2 days ago, I woke up to a mail from Google saying that I passed the mid term evaluations of GSoC and could continue working towards my final evaluation. "What a wonderful way to kick start a day, I thought".

today's howtos