A few weeks ago a new TLS and SSLv3 renegotiation vulnerability was disclosed, and there’s been a fair bit of confusion around it. When the first reports of the bug hit the wire, my initial impression was that the exploit was too complex to be practical, but as more information comes to light I’m starting to think it’s worth paying attention to. Since every web browser and most other kinds of encrypted Internet connections – such as between mail servers – use TLS or SSLv3 to protect traffic, the potential scope for this is massive.
The problem is that TLS and SSLv3 allow renegotiation outside of an established TLS connection, creating a small window of opportunity for an attacker to sit in the middle and, at a particular phase of a connection, inject arbitrary data. The key bits are that the attacker must be in the middle, and there’s only a specific window for data injection. The encryption itself isn’t cracked, and the attacker can’t read the encrypted data, but the attacker now has a hole to inject something which could allow unanticipated actions, such as sending a command to a web application a user is connected to.
A lot of people are comparing this to Cross Site Request Forgery (CSRF), where a malicious website tricks the browser into doing something on a trusted site the user is logged into, like changing their password. This is a bit similar because we’re injecting something into a trusted connection, but the main differentiator is where the problem lies. CSRF happens way up at the application layer, and to hit it all we need to do is trick the user (or their browser) to get access. This new flaw is at a networking layer, so we have a lot less context or feedback.
For the TLS/SSL attack to work, the attacker has to be within the same local network (broadcast domain) as the victim, because the exploit is at the “transport” layer. This alone decreases the risk significantly right out of the gate.
Is this a viable exploit tactic? Absolutely, but within the bounds of a local network, and within the limits of what you can do with injection. This attack vector is most useful in situations where there is easy access to networks: unsecured WiFi and large network segments that aren’t protected from man in the middle (MITM) attacks. The more significant cause for concern is if you are running an Internet facing web application that is:
- Vulnerable to the TLS/SSL renegotiation vulnerability as described and either…
- Running a web app that doesn’t have any built in application layer protections (anti-CSRF, session state, etc.).
- Running a web app that allows users to store and retrieve things using simple POST requests (such as Twitter).
- Or using TLS/SSLv3 as transport security for something else, such as IMAP/SSL, POP/SSL, or SMTP/TLS…
In those cases, if an attacker can get on the same network as one of your users, they can inject data and potentially cause bad things to happen, possibly even redirecting your user to a new, malicious site. One recent example (since fixed) showed how an attacker could trick Twitter into posting the user’s account credentials.
Currently the draft of the fix binds a renegotiation handshake to a particular already established TLS channel, which closes the hole. Unfortunately, since SSLv3 does not support extensions there is no possible way for a secure renegotiation to happen; thus the death of SSL is nigh, and long live (a fixed) TLS.
Reader interactions
13 Replies to “What the Renegotiation Bug Means to You”
@Meier:
I think what you’ve said above is pretty accurate and does properly frame the risk to most people. Will this mean the death of SSL? I think that conclusion is logical, but reality suggests it’ll linger for a very long time, yet.
One thing I’m not seeing much since the original (way too technical!) details: client certificates.
I’ll grant that the issue with client certificates does not affect your normal anonymous web surfers, but it should get the interest of anything that uses smart cards or embedded authentication via certificates. From my weak understanding of this problem, you can snarf and repurpose those certs if you, again, get into a MITM situation. Stealing auth versus injecting some data is a pretty significant escalation, but to a smaller audience.
Three other thoughts.
1) Injecting something to the client’s browser is one thing, but it does open up the possibility of loading and attacking the client. Then again, if you can plant a payload on the server in the first place….. Also, if you can MITM anyway, why not just strip out SSL in the first place? But, this does allow for injected data into what is otherwise an apparently trusted, encrypted connection: trust breakdown.
2) What happens if/when someone can inject a POST? Things get slightly more interesting there. POST password change?
3) Sounds like a nice feature to add to The Middler and similar tools.
The problem with SSLv2 use is that it still gets turned on by default on *servers.* Even IIS 6 still has it on by default. I’m not sure about IIS 7 or Apache off the top of my head. It takes effort to actually turn that stuff off, even today and no one does it unless they have to (ignorance, not choice).
Still, most modern browsers shouldn’t start at SSLv2, but it should still be disabled anyway so you don’t have a MITM downgrade attack. (Not that I’ve ever really heard of any real attacks to break into SSLv2 connections other than theoretical ones…)
I’ve also recently had to turn off those, “You’re using SSLv2, please upgrade…” messages on my load-balance hardware because of auditors. They tend to just run an SSL scan and if it negotiates, fails the specific check in PCI for, “Don’t use SSLv2.” Despite the fact if you connect you’ll see I’m not really allowing it and telling users to stop using antiquated browsers.
I don’t think I’ve even seen any attempts to use SSLv2 other than testers or myself, in over a year.
In terms of the Ebay connection if you simply send any arbitrary data after that connection you’ll see the error:
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Length: 309
Content-Type: text/html
<html><body>SSL Protocol Alert
The SSL protocol version that your browser uses is SSLv2 and it is not compatible with the server settings.
Please try the following:
– Check the SSL protocol settings on your browser for SSLv3/TLSv1 protocol support and enable the same.
</body></html>closed
…I see your point, some still use it. Why, who knows — especially any banks or even newer startups like Twitter.
I couldn’t get the straight up regular McAfee site to allow SSL, but you may have a different ingress point that you had tried.
So you think Bank of America has ever passed a PCI audit? Wonder who the QSA was? Someone should tell them RC4-MD5 might be weak. 🙂