Language Selection

English French German Italian Portuguese Spanish

Another Protocol Bites The Dust

Filed under
Security

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved.




Vulnerability in SSL/TLS protocol

h-online.com: According to reports, vulnerabilities in the SSL/TLS protocol can be exploited by attackers to insert content into secure connections. If this is correct, it would affect HTTPS and all other protocols which use TLS for security, including IMAP. The precise effects of the problem are not discussed in the reports. It would, however, appear to be possible to manipulate HTML content from websites during data transfer and, for example, inject malicious code.

The crux of the problem is, rather than a flawed implementation, a design flaw in the TLS protocol when renegotiating parameters for an existing TLS connection. This occurs when, for example, a client wants to access a secure area on a web server which requires the requesting client certificates. When the server establishes that is the case, it begins a renegotiation to obtain the appropriate client certificate. The original request gets replayed during this renegotiation as if it had been authenticated by the client certificate, but it has not. The discoverer of the problem describes this as an "authentication gap".

Rest Here

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Tizen 3.0 and Home Spying Appliances

Vulkan FOSS Adoptions

  • SDL 2.0.6 released, introduces Vulkan support
    The cross-platform development library has seen the release of its latest version. Quite a few exciting changes this time around, including support for Vulkan and more types of gamepads. SDL [Official Site] is something that has been used in quite a diverse array of projects and plenty of game ports that have made their way to Linux have taken advantage of it. The latest release has its fair share of general improvements but most noticeable is the implementation of Vulkan support. This hopefully will make it easier for developers to take advantage of the Vulkan API and help it gain more traction.
  • X.Org Foundation Has Become A Khronos Adopter
    The X.Org Foundation board announced during this week's XDC2017 summit that they have officially completed the paperwork to become a Khronos adopter. The X.Org Foundation is now considered a pro-bono adopter for The Khronos Group so that the community-based open-source drivers targeting Khronos APIs for conformance can submit conformance test results and become a certified implementation.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed
    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”
  • Joomla patches eight-year-old critical CMS bug
    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains. This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin. Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS. Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.
  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

OpenSUSE fonts – The sleeping beauty guide

Pandora’s box of fonts is one of the many ailments of the distro world. As long as we do not have standards, and some rather strict ones at that, we will continue to suffer from bad fonts, bad contrast, bad ergonomics, and in general, settings that are not designed for sustained, prolonged use. It’s a shame, because humans actually use computers to interface with information, to READ text and interpret knowledge using the power of language. It’s the most critical element of the whole thing. OpenSUSE under-delivers on two fonts – anti-aliasing and hinting options that are less than ideal, and then it lacks the necessary font libraries to make a relevant, modern and pleasing desktop for general use. All of this can be easily solved if there’s more attention, love and passion for the end product. After all, don’t you want people to be spending a lot of time interacting, using and enjoying the distro? Hopefully, one day, all this will be ancient history. We will be able to choose any which system and never worry or wonder how our experience is going to be impacted by the choice of drivers, monitors, software frameworks, or even where we live. For the time being, if you intend on using openSUSE, this little guide should help you achieve a better, smoother, higher-quality rendering of fonts on the screen, allowing you to enjoy the truly neat Plasma desktop to the fullest. Oh, in the openSUSE review, I promised we would handle this, and handle it we did! Take care. Read more