Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Security News

  • News in brief: DirtyCOW patched for Android; naked lack of security; South Korea hacked
  • Millions exposed to malvertising that hid attack code in banner pixels
    Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.
  • Backdoor accounts found in 80 Sony IP security camera models
    Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price. One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.
  • I'm giving up on PGP
    After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys. This is not about the gpg tool itself, or about tools at all. Many already wrote about that. It's about the long term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

OpenSUSE Ends Support For Binary AMD Graphics Driver

Bruno Friedmann has announced the end to AMD proprietary driver fglrx support in openSUSE while also announcing they don't plan to support the hybrid proprietary AMDGPU-PRO stack either. Friedmann wrote, "Say goodbye fglrx!, repeat after me, goodbye fglrx... [In regards to the newer AMDGPU-PRO stack] I will certainly not help proprietary crap, if I don’t have a solid base to work with, and a bit of help from their side. I wish good luck to those who want to try those drivers, I’ve got a look inside, and got a blame face." Read more

4 open source drone projects

Over the past few years, interest in both civilian and commercial use of drones has continued to grow rapidly, and drone hardware sits at the top of many people's holiday wish lists. Even just within the civilian side of things, the list of unmanned aerial devices which fit the moniker of drone seems to be constantly expanding. These days, the term seems to encompass everything from what is essentially a cheap, multi-bladed toy helicopter, all the way up to custom-built soaring machines with incredibly adept artificial intelligence capabilities. Read more

Fedora News

  • Elections 2016: Nominate community members to Fedora leadership
    With Fedora 25 out the door a couple of weeks ago, Fedora is once again moving ahead towards Fedora 26. As usual after a new release, the Fedora Elections are getting into gear. There are a fair number of seats up for election this release, across both the Fedora Engineering Steering Committee (FESCo) and the Fedora Council. The elections are one of the ways you can have an impact on the future of Fedora by nominating and voting. Nominate other community members (or self-nominate) to run for a seat in either of these leadership bodies to help lead Fedora. For this election cycle, nominations are due on December 12th, 2016, at 23:59:59 UTC. It is important to get nominations in quickly before the window closes. This article helps explain both leadership bodies and how to cast a nomination.
  • Endless Sky now available on Fedora
    Endless Sky is a 2D space trading and combat game similar to Escape Velocity. The game sets you as a beginning pilot, just having made a down payment on your very first starship. You’re given a choice between a shuttle, a freighter or a fighter. Depending on what ship you choose, you will need to figure out how to earn money to outfit and eventually upgrade your ship. You can transport passengers, run cargo, mine asteroids or even hunt pirates. It’s an open-ended game that blends the top-down action of a 2D space shooter with the depth and replayability of a 4X.
  • Analysis is confusing
    I’ve known of affinity mapping, and even tried to use sticky notes to figure out some of my data in the first UX project I did. Unfortunately, as I found out at the time, analysis of the data I get in UX research doesn’t really lend itself to being done alone. Much like statistics, I suspect. I’m not at all sure how UX consultants do their analyses, given this!