The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: TLS Man in the middle  (Read 4043 times)

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 842
TLS Man in the middle
« on: November 07, 2009, 08:25:58 AM »

I find it humorous [not] that we have this layer of encryption yet, as far as I can tell from blog posts I've read about this, we pay no attention to where the connections are actually coming from?
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 842
Re: TLS Man in the middle
« Reply #1 on: November 07, 2009, 08:28:36 AM »

Speaking of the TLS Man in the middle, I saw a 2.2.x polished * 2 or 3 rough draft of a patch for this on ze list.
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 842
Re: TLS Man in the middle
« Reply #2 on: November 07, 2009, 10:12:25 AM »

Speaking of ... looks like OpenSSL came out sometime today ... funny tarball is dated the 5th
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 582
Re: TLS Man in the middle
« Reply #3 on: November 07, 2009, 03:09:14 PM »

If I remember right there was a discussion in the ASF Dev list. Wasn't it?
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 842
Re: TLS Man in the middle
« Reply #4 on: November 07, 2009, 08:32:01 PM »

Yes, I have not seen any how well it works, what it may break and stuff like that. OpenSSL 0.9.8L is going about it with the sledgehammer approach by simply disabling renegotiation. So far that seems to be OK for me but I haven't spent to much time testing.

Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 582
Re: TLS Man in the middle
« Reply #5 on: November 21, 2009, 01:28:45 PM »

I found a how to man in the middle for openssl. How it worked until the patch

http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html

Or the direct link http://www.g-sec.lu/practicaltls.pdf
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 842
Re: TLS Man in the middle
« Reply #6 on: November 21, 2009, 10:28:09 PM »

I found this interesting down at the bottom of the lead page

For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)

POST ... seems to me most open and closed source Carts use POST. I however do not do a lot of online shopping/bill paying.

There has been one successful attack against this bug that I know of, but it required a few XSS holes on the server webapp side. Twitter was the one that was attacked and we all know they are full of XSS. The worst thing about the one successful attack is the person was able to get back unencrypted data that was sent. They had it print out onto their Twitter page through the XSS.

I personally wish they would have tried against someone like Amazon, if they could do it there, then I'd be much more concerned. Amazon/Twitter = Apples/Lemons

As such, there is a patch for Apache that is a partial fix. Depending on your configuration, with this patch and openssl <= 0.9.8k you would still be vulnerable. It will be included in 2.2.15. There seems to be no rush to get 2.2.15 out the door now that OpenSSL 0.9.8L has been released.

Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13