Links

Ben Laurie blathering


SSL MitM Attack, Part 2

A lot can happen in a day. Yesterday the news broke that SSL was compromised. We immediately (OK, it took about 10 hours) released a new version of OpenSSL, 0.9.8l, which mitigates the problem by completely disabling renegotiation. Obviously this will break some sites, and so is not a full fix, so the next step is to implement Eric Rescorla’s TLS extension. However, before I get on with that, it seems I have a few questions to answer.

Firstly, I must thank the anonymous poster who said “OpenSSL is written by monkeys”. But dude, you should’ve included the link. I’ve been meaning to link to that for ages. Well, days.

Secondly, as Marsh said, there is a better answer for people who need renegotiation. This is the extension mentioned above. It won’t work unless clients also implement that, but we are working on that, too (and clearly any client that uses OpenSSL will get it for free as soon as I get the next version out).

To the bloke who asked about ISA and OWA: I have no idea what either of those are.

Does this affect SGC (Server-Gated Cryptography)? I don’t actually know. I think it does, because I think SGC uses renegotiation, but I am not sure. If anyone knows, comment!

To the “but this is just XSRF” (Cross-site request forgery) guy:

  • XSRF does not give the attacker control over headers.
  • Your attack didn’t work on me: I didn’t click the link.
  • HTTP is not the only protocol that uses SSL.

Though the fact that this attack doesn’t actually make HTTP much worse is a pretty damning indictment of HTTP (and HTML)!

Will this patch break session resumption? No – and nor will the 0.9.8l release, which does the same thing more elaborately and correctly.

Finally, even once we’ve implement the extension it seems to me this is not really the true fix – really applications should be aware of renegotiations and not carry trust across their boundaries. But more on that later, I’ve got code to write.

8 Comments

  1. Since when does CSRF require clicking on links? All I need is for your browser to render out the image tag that I insert into some straight-HTTP connection that I MITM, or I can insert JS if I really want POST data.

    And are there any other protocols that use SSL which are vulnerable to this particular corner case?

    Comment by Clement — 6 Nov 2009 @ 13:53

  2. “Though the fact that this attack doesn’t actually make HTTP much worse is a pretty damning indictment of HTTP (and HTML)!”

    what does that even mean? please explain how any of what you were just talking about is an indictment of HTTP..

    Comment by Mike — 6 Nov 2009 @ 15:21

  3. I just want to say this because you’re probably mostly hearing people bitching right now: You rock. OpenSSL is a really important piece of software, and I really appreciate the work you and the rest of the team do to make it work.

    Comment by Benson — 6 Nov 2009 @ 18:42

  4. Thanks for confirming that session resumption is not affected by this patch.

    More of an implementation question, are we vulnerable if the attacker hijacks the client’s session resumption handshakes instead of the initial one?
    Does OpenSSL mandate a ClientHello.session_id check against the existing session’s, or does it blindly retrieve the master secret based on the
    ClientHello.session_id?

    Comment by Alex Lam — 6 Nov 2009 @ 20:38

  5. i’m guessing that the guy referring to ISA and OWA are referring to Microsoft Internet Security & Acceleration Server and Microsoft Outlook Web Access.

    Comment by m — 6 Nov 2009 @ 22:05

  6. https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt

    What irony that it takes three clicks to dismiss the silly dialog telling me that the connection is insecure (which I did pretty much on autopilot, given that broken certs are so common).

    Incidentally, the attacker can have control over some headers in some CSRF attacks. The restrictions are complicated.

    Comment by David-Sarah Hopwood — 7 Nov 2009 @ 5:10

  7. do you have a defence to the mopnkey comment?

    Comment by Pat — 9 Nov 2009 @ 10:27

  8. [...] SSL MitM Attack, Part 2 [...]

    Pingback by securitywhispers » Blog Archive » Coverage story of TLS blind prefix injection attack — 10 Nov 2009 @ 13:48

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress