Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

How Linux and Open Tech Empower Medical Healthcare

Open Source is not just for IT industry. Linux and Open Source technologies are impacting Medical and Healthcare industries as well. Read more

Security: Open Source Security Podcast, New Updates, MysteryBot and Grayshift

Containers and 'Clouds'

  • [Podcast] PodCTL #39 – CI/CD and Kubernetes
    One of the characteristics of the most successful deployments of OpenShift are the CI/CD pipelines that enable application integrations. This week we dove into a question from a listener – “Can you talk more about best practices for integrating CI/CD systems into Kubernetes?“ Brian and Tyler talk about the latest news from the Kubernetes community, the difference between CI and CD, and various considerations for integrating CI/CD environments with Kubernetes.
  • Partners See Docker's 'Promise Of Choice' As A Unique Inroad To Enterprise Customers
  • Docker’s Name and Operations Could Appeal to Microsoft, Red Hat, VMware
    Docker Inc. owns one of the most prominent names in the cloud container ecosystem. But a recent report from Cowen and Company named a handful of established cloud players as potential acquirers of Docker Inc. Those included Microsoft, Red Hat, and VMware, with the first two deemed most likely to take the plunge. “Despite its strong name recognition and customer momentum, Docker’s long-term financial success – at least as an independent company – is hardly a fait accompli,” the Cowen and Company report stated. “We do believe that Docker will have to work hard in order to overcome its smaller footprint with enterprise companies.”
  • Every Silver Lining Has a Cloud

    The savings in cloud computing comes at the expense of a loss of control over your systems, which is summed up best in the popular nerd sticker that says, "The Cloud is Just Other People's Computers."

Mozilla: Motion, Contributors, Testday, ActivityMonitor, San Francisco Oxidation

  • Firefox has a motion team?! Yes we do!
    Motion may sometimes feel like an afterthought or worse yet “polish”. For the release of Firefox Quantum (one of our most significant releases to date), we wanted to ensure that motion was not a second class citizen and that it would play an important role in how users perceived performance in the browser. We (Amy & Eric) make up the UX side of the “motion team” for Firefox. We say this in air quotes because the motion team was essentially formed based on our shared belief that motion design is important in Firefox. With a major release planned, we thought this would be the perfect opportunity to have a team working on motion.
  • Firefox 61 new contributors
    With the upcoming release of Firefox 61, we are pleased to welcome the 59 developers who contributed their first code change to Firefox in this release, 53 of whom were brand new volunteers!
  • QMO: Firefox 61 Beta 14 Testday Results
    As you may already know, last Friday – June 15th – we held a new Testday event, for Firefox 61 Beta 14. Thank you all for helping us make Mozilla a better place!
  • IOActivityMonitor in Gecko
    This is a first blog post of a series on Gecko, since I am doing a lot of C++ work in Firefox these days. My current focus is on adding tools in Firefox to try to detect what's going on when something goes rogue in the browser and starts to drain your battery life. We have many ideas on how to do this at the developer/user level, but in order to do it properly, we need to have accurate ways to measure what's going on when the browser runs. One thing is I/O activity. For instance, a WebExtension worker that performs a lot of disk writes is something we want to find out about, and we had nothing to track all I/O activities in Firefox, without running the profiler. When Firefox OS was developed, a small feature was added in the Gecko network lib, called NetworkActivityMonitor.
  • San Francisco Oxidation meeting notes
    At last week’s Mozilla All Hands meeting in San Francisco we had an Oxidation meeting about the use of Rust in Firefox. It was low-key, being mostly about status and progress. The notes are here for those who are interested.