On November 5th a new vulnerability was disclosed in SSL. The vulnerability could allow man-in-the-middle attacks that could compromise sensitive information.
All applications of SSL require a patch to close this authentication vulnerability. Because SSL is essential to on-line shopping this is of more than trivial interest to on-line merchants. The status of patching efforts is being monitored here.
SSL has been around for over 13 years so it is more than a little disturbing to discover a significant vulnerability. It raises the question as the whether this was discovered by someone long ago but not disclosed.
Exploits of the vulnerability have been posted. See SSL at risk (again), this time Twitter is the first target by Sean Michael Kerner at Internetnews.com. He writes:
SSL is of critical importance to all web users as the most commonly used method for securing websites. There is now a new publicly posted exploit technique available for SSL that takes advantage of a renegotiation flaw with TLS DEFINE:TLS>.
As a proof of concept, security researcher Anil Kurmas has blogged about how TLS/SSL renegotiation can be used to exploit Twitter's HTTPS (that is SSL secured) API."All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website, and CSRF protections do not apply here," Kurmas wrote.This is extremely serious and in my opinion represents perhaps the single biggest threat to the integrity of the Internet today. Without SSL, ecommerce becomes insecure and the vast majority of the web's population cannot login securely to any website.
Network World reports on yet another exploit: Security pro says new SSL attack can hit many sites:
Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off -- the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network -- it could have devastating consequences.
This latest attack shows that the flaw could be used to steal all sorts of sensitive information from secure Web sites, Heidt said.
Because SSL, and its replacement standard, TLS, are used in a wide range of Internet technologies the bug has far-reaching implications.
Thierry Zoller, a security consultant with G-Sec, says that theoretically, the flaw could be used to attack mail servers. "An attacker can potentially highjack mails sent over secured SMTP [Simple Mail Transfer Protocol] connections, even if they are authenticated by a private certificate," he said in an instant message interview.Zoller, who has not seen Leviathan's code, said that if the attack works as advertised, it will be just a matter of days before someone else figures out how to do it.
At this time patch implementations are not complete - so the Internet is vulnerable. It highlights what we already know: SSL alone is not adequate. Dan Kaminsky and others have noted that SSL is not secure without DNSSEC. DNSSEC is a complementary protection to SSL and both are needed if we are to have a secure Internet.
Comments