Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

How To Build A Raspberry Pi Smartwatch — The Geekiest Watch Ever Made

In our Getting Started With Raspberry Pi series, we’ve introduced you to the basics of Pi, told you how to get everything you need, and help you boot a basic operating system. But, Raspberry Pi is much more than that. You can use it as a TOR proxy router, build your own PiPhone, and even install Windows 10 IoT. This little device comes with lots of flexibility, that allows it to be used in multiple applications. Well, did you ever think about wearing your Raspberry Pi? If your answer is NO, I won’t be surprised. If you imagine a scenario where Raspberry Pi is used to build a smartwatch, it would look too bulky. Well, that’s the thing about making geeky things that set you apart from the regular crowd, right? Read more

Ubuntu Leftovers

  • Yakkety Yak Alpha 2 Released
  • Ubuntu 16.10 "Yakkety Yak" Alpha 2 Released
    Today marks the second alpha release for Ubuntu 16.10 "Yakkety Yak" flavors participating in these early development releases. Participating in today's Yakkety Yak Alpha 2 development milestone are Lubuntu, Ubuntu MATE, and Ubuntu Kylin. No Xubuntu or Kubuntu releases to report on this morning.
  • PSA: Ubuntu 15.10 Hits End of Life Today
    It's time to wave a weary goodbye to the Wily Werewolf, as Ubuntu 15.10 support ends today.
  • Jono Bacon on Life After (and Before) GitHub
    Do you want to know what it takes to be a professional community manager? This interview will show you the kind of personality that does well at it, and how Jono Bacon, one of the world’s finest community managers, discovered Linux and later found his way into community management. Bacon is world-famous as the long-time community manager for Ubuntu. He was so good, I sometimes think his mother sang “you’ll be a community manager by and by” to him when he was a baby. In 2014 he went to XPRIZE, not a FOSS company, but important nevertheless. From there he dove back into FOSS as community manager for GitHub. Now Bacon is a freelance, self-employed community manager. One of his major clients is HackerOne, whose CEO is Bacon’s and my mutual friend Mårten Mickos. But HackerOne is far from his only client. In the interview he says he recently got back from visiting a client in China, and that he has more work then he can handle.

I've been Linuxing since before you were born

Once upon a time, there was no Linux. No, really! It did not exist. It was not like today, with Linux everywhere. There were multiple flavors of Unix, there was Apple, and there was Microsoft Windows. When it comes to Windows, the more things change, the more they stay the same. Despite adding 20+ gigabytes of gosh-knows-what, Windows is mostly the same. (Except you can't drop to a DOS prompt to get actual work done.) Hey, who remembers Gorilla.bas, the exploding banana game that came in DOS? Fun times! The Internet never forgets, and you can play a Flash version on Kongregate.com. Apple changed, evolving from a friendly system that encouraged hacking to a sleek, sealed box that you are not supposed to open, and that dictates what hardware interfaces you are allowed to use. 1998: no more floppy disk. 2012: no more optical drive. The 12-inch MacBook has only a single USB Type-C port that supplies power, Bluetooth, Wi-Fi, external storage, video output, and accessories. If you want to plug in more than one thing at a time and don't want to tote a herd of dongles and adapters around with you, too bad. Next up: The headphone jack. Yes, the one remaining non-proprietary standard hardware port in Apple-land is doomed. Read more