TLS Man in the middle

Started by Gregg, November 07, 2009, 08:25:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Gregg

November 07, 2009, 08:25:58 AM
I find it humorous [not] that we have this layer of encryption yet, as far as I can tell from blog posts I've read about this, we pay no attention to where the connections are actually coming from?

Gregg

#1
November 07, 2009, 08:28:36 AM
Speaking of the TLS Man in the middle, I saw a 2.2.x polished * 2 or 3 rough draft of a patch for this on ze list.

Gregg

#2
November 07, 2009, 10:12:25 AM
Speaking of ... looks like OpenSSL came out sometime today ... funny tarball is dated the 5th

mario

#3
November 07, 2009, 03:09:14 PM
If I remember right there was a discussion in the ASF Dev list. Wasn't it?

Gregg

#4
November 07, 2009, 08:32:01 PM
Yes, I have not seen any how well it works, what it may break and stuff like that. OpenSSL 0.9.8L is going about it with the sledgehammer approach by simply disabling renegotiation. So far that seems to be OK for me but I haven't spent to much time testing.

mario

#5
November 21, 2009, 01:28:45 PM
I found a how to man in the middle for openssl. How it worked until the patch

http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html

Or the direct link http://www.g-sec.lu/practicaltls.pdf

Gregg

#6
November 21, 2009, 10:28:09 PM
I found this interesting down at the bottom of the lead page

For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)

POST ... seems to me most open and closed source Carts use POST. I however do not do a lot of online shopping/bill paying.

There has been one successful attack against this bug that I know of, but it required a few XSS holes on the server webapp side. Twitter was the one that was attacked and we all know they are full of XSS. The worst thing about the one successful attack is the person was able to get back unencrypted data that was sent. They had it print out onto their Twitter page through the XSS.

I personally wish they would have tried against someone like Amazon, if they could do it there, then I'd be much more concerned. Amazon/Twitter = Apples/Lemons

As such, there is a patch for Apache that is a partial fix. Depending on your configuration, with this patch and openssl <= 0.9.8k you would still be vulnerable. It will be included in 2.2.15. There seems to be no rush to get 2.2.15 out the door now that OpenSSL 0.9.8L has been released.

Print
Go Up Pages1
User actions