Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SSL/TLS Vulnerability Details to be Released Friday - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSL/TLS Vulnerability Details to be Released Friday

I'm getting a lot of emails asking about articles that ultimately reference this upcoming talk: "BEAST: Surprising crypto attack against HTTPS" (http://ekoparty.org/2011/juliano-rizzo.php)

I don't have any extra details.  Anything that I write now will be unnecessary speculation.  It sounds like it will be interesting; their presentation last year on Padded Oracle Attacks (the crypto Oracle, not the database) certainly was.

 

Kevin Liston

292 Posts
ISC Handler
Juliano Rizzo presents this friday the attack and the tool "Beast" at Ekoparty.

More info here:
https://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Anonymous
Yes, those would be the articles. I'd like to postpone any response until we see the actual presentation.

-KL
Kevin Liston

292 Posts
ISC Handler
an older paper that appears to describe this type of attack. I am with Kevin on withholding further discussion until seeing the attack/paper: eprint.iacr.org/2006/…
Johannes

3603 Posts
ISC Handler
So, I just know my boss is going to ask,. "If SSL is dead and TLS is broken, how do we secure our web sites?" I don't have a good answer for him. Thoughts?
RobM

14 Posts
@RobM's boss: we recommend waiting until Friday when there are details to analyze. But if you insist on doing something now, upgrading your servers to support TLS 1.2 couldn't hurt.
Kevin Liston

292 Posts
ISC Handler
Anyone have a link on how to upgrade Apache 2.2 to support TLS 1.2? The apache 2.2 reference here: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol doesn't seem to provide a 1.2 protocol configuration option.
Bob Stangarone

9 Posts
I once attended a demonstration of Zcaler (hosted web filtering service) where they bragged about "breaking SSL on the fly" to monitor for data leak. Am I missing something here? Should the padlock icon be replaced by someone laughing?
Anonymous
Last comment should say "ZScaler" of course
Anonymous
@confused. They are using HTTP inspect, where you are presented a certificate from the device intercepting your request, with some information from the original cert.

Essentially they do a MITM on your SSL traffic. So not breaking the protocol at all.
M
Mark

391 Posts
ISC Handler
openssl doesn't support TLS 1.1 or 1.2. Apache doesn't support TLS 1.1 or 1.2.. the browsers don't TLs 1.1 or 1.2.

This problem has been kept really quiet ... I wonder why


https://bugzilla.mozilla.org/show_bug.cgi?id=565047 – Implement TLS 1.1 (RFC 4346)
https://bugzilla.mozilla.org/show_bug.cgi?id=480514 – Implement support for TLS 1.2 (RFC 5246)
Mark
1 Posts
@Paradiso

Apache (on Unix) is able to do both TLS 1.1 and TLS 1.2 if you are using mod_gnutls instead of mod_ssl (so use GnuTLS instead of OpenSSL). I did some tests a while ago and it worked fine with IE9 and Opera.

On Windows, it may be able to do so out of the box if httpd is linked against the Microsoft crypto APIs. I've seen some entries on SSLLabs, but the server may have been using mod_gnutls too.

As for OpenSSL, the still-to-be-released "stable" 1.0.1 branch (see CVS) does at least TLS 1.1, tested against Nginx 1.0.x. I don't know how complete the implementation is, but it does successfully pass the SSLLabs scan.

Also, see the following thread in the OpenSSL-dev mailing list:

http://www.mail-archive.com/openssl-dev@openssl.org/msg29714.html
Mark
5 Posts
@Steve
I believe windows crypto is tied to the OS version. From comments I've been reading about this they're only present by default on Windows 7+ and Windows Server 2k8. I haven't tried but it's apparently possible to manually install them on Vista but not on XP.
Mark
3 Posts
Well since everyone else is speculating ... This attach seems to be against SSL using a block cipher, such as AES. While that's not good, lots of the web servers I've seen choose RC4 (which is a stream cipher) as their first choice when protecting their SSL traffic. So while disabling AES isn't a great answer (and using it might be a requirement for government sites), RC4 is a great algorithm (secure, fast), very widely adopted, and may not be vulnerable to this attack.
Mark
5 Posts

Sign Up for Free or Log In to start participating in the conversation!