11/09/2009

SSL is not secure anymore - Serious vulnerability identified in v3 & previous versions

A serious vulnerability in SSL v3 and previous versions of SSL protocol has been identified and made public on November 4, 2009.
This makes every SSL site vulnerable to serious man-in-middle (MITM) attacks related to renegotiation.

This vulnerability is due to the design of "session resumption" feature of SSL protocol.

Who Gets affected?


The impact of this issue is potentially significant. below are some points extracted from issue details,
  • This attack has been demonstrated against recent versions of Apache httpd and Microsoft IIS, with a variety of clients.

  • Most existing installations which currently rely on client certificates for authentication appear to be vulnerable.

  • Shared hosting environments which allow untrusted customers served from the same IP to configure any aspect of their encryption parameters appear to be vulnerable.

  • Most or all server applications built on TLS(Transport Layer Security) implementations which honor client-initiated renegotiation are vulnerable.

  • Early research suggests that digital certificates embedded on smart cards are equally vulnerable to the client certificate authentication attacks.


What is a Man-in-the-middle (MITM) Attack?

A man in the middle attack is one in which the attacker intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other.

Though MITM attacks are very common on HTTP, these could also be done over an https connection using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn’t understand the threat. In some specific contexts it’s possible that the warning doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.



Below is a simple example of a successful MITM attack in simple terms (extracted from Wikipedia)

Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to eavesdrop on the conversation, or possibly deliver a false message to Bob


1/ Alice sends a message to Bob, which is intercepted by Mallory
Alice --hi bob, it's alice, give me your key--> Mallory Bob

2/ Mallory relays this message to Bob; Bob can't tell it's not
really from Alice
Alice Mallory --hi bob, it's alice, give me your key--> Bob

3/ Bob responds with his encryption key
Alice Mallory <--ok, here is bob's key:bob's key-- Bob

4/ Mallory replaces bob's key with his own, and relays this to
Alice, claiming that it is Bob's key
Alice <--ok, here is bob's key:MALLORY's key-- Mallory Bob

5/ Alice now encrypts a message with what she believes to
be Bob's key, thinking that only Bob can read it...
Alice --msg encrypted with Mallory's key--> Mallory Bob

6/ However, as it was actually encrypted with Mallory's key,
Mallory can decrypt it, read it, modify it (if desired),
re-encrypt with Bob's key, and forward it to Bob
Alice Mallory --msg encrypted with Bob's key--> Bob

7/ Bob thinks that this message is a secure communication
from Alice.



What is the Solution/Mitigation?

First of all judging from recent experience, it is anticipated that the problem domain will continue to evolve in the coming weeks. Therefore there is no clear fool-proof solution suggested by researchers yet.

Mitigation of the HTTPS client certificate attacks is difficult and involves tradeoffs.

One scenario for mitigation involves web developers reorganizing their sites to strictly separate areas of each site into zones based on their differing requirements for authentication, with zones being served from distinct IP addresses. One can imagine the high costs of such a transition, although there are ways to partially or fully automate this separation.

Other mitigations involve protocol changes, but again, they generally have their own issues.In some cases, compatibility with old client software is broken completely.

The right long-term solution to the renegotiation problem involves a much more careful binding between TLS(Transport Layer Security) and upper protocol layers. This could be handled in a variety of ways, including breaking and backwards-compatible changes.

Some Helpful References & Resources

4 comments:

  1. So does this mean we dont have any fix for this problem yet?

    What happens to the credit card transactions which are happening over SSL?

    Is there any guideline developers and users can follow to be safe?

    ReplyDelete
  2. @Dave

    1. I dont think there is a long term fix available for this at this point in time.

    2. As I mentioned in the post, credit card transactions use certificate based approach and if you are doing a transaction on Internet by accepting a unknown or self signed certificate then your card may be at risk.

    3. The PDF in the references has some tips for developers. It talks about directory based approach for a web app where your secure content is on a separate directory or a separate IP address itself.

    ReplyDelete
  3. On episode 223 of Security Now ( twit.tv/sn233 )
    They talked about this issue. It's a very insightful show. During the show Steve Gibson mentioned a proposed fix.

    ReplyDelete
  4. Test comment, feel free to delete — it's that darn Firefox-Blogger issue thing…

    ReplyDelete

Got something to say? Don't hold it! Tell it to us.

You Might Like

.....