stopthehacker.com » man in the middle http://www.stopthehacker.com Jaal, LLC Sat, 04 Feb 2012 01:14:51 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 New SSL Issues = New SSL Attacks http://www.stopthehacker.com/2009/11/23/new-ssl-issues-new-ssl-attacks/ http://www.stopthehacker.com/2009/11/23/new-ssl-issues-new-ssl-attacks/#comments Mon, 23 Nov 2009 22:48:28 +0000 admin http://www.stopthehacker.com/?p=649 You might remember the article I wrote a couple of weeks back regarding the then recently found vulnerabilities of SSL 3.0 (TLS 1.0). Well, things just got real.

At the time, some researchers even went so far as to say that the vulnerability was only theoretical! Too theoretical to even worry about. The attack is described in detail:

It appears that the popular micro-blogging site Twitter first fell victim to the attack. The Register has the full story:

Now that the attack is in the wild, where are the patches?

At the time of publishing, here is where everyone is:

Open SSL

  • Workaround – Removes Renegotiation (OpenSSL 0.9.8l): Limited Public Availability
  • Fix (OpenSSL 0.9.8m): Code Undergoing Initial Testing

Microsoft

  • IIS, SChannel, Internet Explorer: Interoperability Testing in Progress
  • IIS6 and 7: Not Vulnerable to Client-Initiated Renegotiation

Cisco

  • Vulnerable Products: Code Undergoing Initial Testing

F5

  • Workaround – Disables Renegotiation: Limited Public Availability
  • Fix: Code Undergoing Initial Testing

NSS (Mozilla/Firefox)

  • TLS protocol fix: Interoperability Testing in Progress

Sun

  • Vulnerable Products: Code Undergoing Initial Testing

GNU TLS

  • Fix: Code Undergoing Initial Testing
  • Most Applications Are Not Affected

RSA

  • Vulnerable Products: Interoperability Testing in Progress/Limited Public Availability

Opera

  • Fix: Code Undergoing Initial Testing

For more information and updates:

]]> http://www.stopthehacker.com/2009/11/23/new-ssl-issues-new-ssl-attacks/feed/ 0 New Security Issues come to light with SSL 3.0 http://www.stopthehacker.com/2009/11/05/new-security-issues-come-to-light-with-ssl-3-0/ http://www.stopthehacker.com/2009/11/05/new-security-issues-come-to-light-with-ssl-3-0/#comments Thu, 05 Nov 2009 23:46:52 +0000 admin http://www.stopthehacker.com/?p=259 New SSL Security Issues: A vulnerability allowing hijacking of an already connected SSL 3.0 (TLS 1.0) sessions has been disclosed.

SSL technology provides an end-to-end secure communications tunnel used most commonly by the HTTPS protocol. This, most recent, vulnerability allows an attacker to insert text of their choice into the data-stream, even after the secure handshake has occurred. This is another security gap created by the standard’s renegotiation process that is intended to allow a new SSL connection to be established over an already connected SSL session.

SSL renegotiation is most useful in the following situations: when client authentication is required, to use a different set of encryption and decryption keys, or when the server wants to switch encryption or hashing algorithms. For now, some patches have been made available that disable this functionality completely in order to avoid the vulnerability.

It will probably be a few weeks until patches including a reworked renegotiation mechanism appear. Most importantly, a fix has been in the works (by most browser vendors) but it won’t be out until the respective vendors finish their work. So, don’t depend on SSL until your browser is patched.

More Information:

]]> http://www.stopthehacker.com/2009/11/05/new-security-issues-come-to-light-with-ssl-3-0/feed/ 0