Share
A vulnerability in the SSL protocol is causing a bit of stir after it was discovered that the flaw would allow an attacker to inject themselves into the authenticated SSL communications path and execute commands. Compounding the issue is the fact that once the attack has started, both the server and the browser generally have no idea that their session has been hijacked.
SSL flaw allows man-in-the-middle attacks.
Two researchers, Marsh Ray and Steve Dispensa of PhoneFactor, which we’ve profiled recently, as well as an independent researcher, Martin Rex from the IETF, discovered a vulnerability in the SSL protocol that allows a man-in-the-middle attack, which if exploited could leave businesses and end users exposed to any number of malicious attacks.
News of the vulnerability broke when Rex independently discovered the issue and posted it to an IETF mailing list on November 4th. Word quickly spread through the IT security community.
Before that, the PhoneFactor team got the ball rolling on a resolution and organized a working group of affected vendors, together with representatives from various standards committees. They reached a consensus on how to address the underlying issue and patch the SSL libraries. They also created a set of recommended methods for mitigating the vulnerability. The vulnerability results from a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS). As such, most SSL implementations are vulnerable in one way or another. Affected scenarios include web surfers doing online banking, back-office systems using web services-based protocols, and non-HTTP applications such as some mail servers, database servers, and so on.
“In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well,” Ray and Dispensa note.
Moreover, although this research has focused on the implications specifically for HTTP as the application protocol, the PhoneFactor duo said, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.
“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said Steve Dispensa, CTO of PhoneFactor. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”
“The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols. While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks.”
More information can be located below:
http://extendedsubset.com/?p=8http://www.phonefactor.com/sslgap/
IETF: http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
Chris Paget’s write up: http://www.tombom.co.uk/blog/?p=85
The Tech Herald: PhoneFactor – a free twist to two-factor authentication
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story