Print

Sorry Guest, you are banned from posting and sending personal messages on this forum.

Error: S4296

This ban is not set to expire.

[Gregg]

I find it humorous [not] that we have this layer of encryption yet, as far as I can tell from blog posts I've read about this, we pay no attention to where the connections are actually coming from?

[Gregg]

Speaking of the TLS Man in the middle, I saw a 2.2.x polished * 2 or 3 rough draft of a patch for this on ze list.

[Gregg]

Speaking of ... looks like OpenSSL came out sometime today ... funny tarball is dated the 5th

[mario]

If I remember right there was a discussion in the ASF Dev list. Wasn't it?

[Gregg]

Yes, I have not seen any how well it works, what it may break and stuff like that. OpenSSL 0.9.8L is going about it with the sledgehammer approach by simply disabling renegotiation. So far that seems to be OK for me but I haven't spent to much time testing.

[mario]

I found a how to man in the middle for openssl. How it worked until the patch

http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html

Or the direct link http://www.g-sec.lu/practicaltls.pdf

[Gregg]

I found this interesting down at the bottom of the lead page

For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)

POST ... seems to me most open and closed source Carts use POST. I however do not do a lot of online shopping/bill paying.

There has been one successful attack against this bug that I know of, but it required a few XSS holes on the server webapp side. Twitter was the one that was attacked and we all know they are full of XSS. The worst thing about the one successful attack is the person was able to get back unencrypted data that was sent. They had it print out onto their Twitter page through the XSS.

I personally wish they would have tried against someone like Amazon, if they could do it there, then I'd be much more concerned. Amazon/Twitter = Apples/Lemons

As such, there is a patch for Apache that is a partial fix. Depending on your configuration, with this patch and openssl <= 0.9.8k you would still be vulnerable. It will be included in 2.2.15. There seems to be no rush to get 2.2.15 out the door now that OpenSSL 0.9.8L has been released.