Zero-day flaw found in Web encryption

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt Web pages, has been made public.

Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for Web transactions.

Ray, who works with Dispensa at two-factor authentication company PhoneFactor, explained in a blog post this week that he had initially discovered the flaw in August and demonstrated a working exploit to Dispensa at the beginning of September.

Read more of "Zero-day flaw found in web encryption" at ZDNet UK.

[Random_Walk]

TLS is also used in email server-to-server encryption.

On the Windows side, SSL is used in Active Directory Federation Services (not for AD itself, mind, but for "secure" DMZ-like services where Active Directory functions are needed), Exchange OWA, and lots of other bits.

BTW - is it actively being exploited by the black hats, or are we just chucking around the "zero day" term indiscriminately now?

[Michichael]

Somebody forgot their </strong> in the article! :P

[Jon Skillings]

The strong/bold coding has been fixed. Sorry for all the boldface type!

[dhavleak]

@ Random Walk

That was an absolutely disgusting attempt at FUD. What was your purpose in pointing out any MS products that use SSL?

SSL is used for secure connections between parties internet-wide. It's like somebody finding a flaw in the TCP/IP protocol and you pointing out the MS products that use it. Stop trying to spread FUD by association.

[bananaphonerules]

@Random Walk
Who doesn't use SSL or TLS? Why point out Microsoft?

PS. i found most recent (last 5 years) MS products using TLS for server communications. Clients still use SSL alot (regardless of platofmr; MAC, Windows, Linux...even the iPhone).

[Michichael]

Ok, unless I'm missing something here... I don't see anything new. This technique has been around for AGES. MITM works because it sees everything you see - and acts as either the server or client. Doesn't matter how complicated the key is if you give it to somebody else before giving it to that person, and guess what kids, that's how the internet works.

Let me put into perspective what they're claiming: You go to the bank to open your safe deposit box. The Bank Manager is standing between you and the safe deposit box. You give the manager your key, he uses it on the safe deposit box to make sure they match, then gives the box and matching key to you. (not really how that happens but you get the picture). You can now open it.

In a MITM, the manager isn't trustworthy and makes a copy of the key (hard to do IRL, easy to do with invisible data).

This would only be an actual exploit if, I don't know, you could break into an already authenticated session after the handshakes. SSL passthrough MITM is nothing new, nothing special. If you want to fix that you need to changes how the internet works because all data, including certificates, is transmitted from client to host without encryption until that handshake occurs. If that gets passed through a rogue doing SSL passthrough and watching the traffic, then there's nothing you can really do about it because it'll get to see everything you see, including the certificates. It can then decrypt the data.

[weixiong100]

I think you are the one don't know how certificates and tls work. tls is designed that such even the middle person see the whole traffic, he/she cannot decrypt the data you are sending. By the way, knowing the certificates does not tell you anything. It is supposed to be open information anyway. Next time, know what you are saying before posting.

[JoeF2]

You ARE missing something... Try reading the paper...
This problem has to do with channel renegotiation, e.g., when going to a specific URL that requires client authentication. And it indeed allows plain text injection into an authenticated session, since the authentication is renegotiated.

[Michichael]

Hmm....

[dhavleak]

@ Michichael -- I can try to explain a public key exchange in the simplest way possible -- the SSL protocol is quite a bit more elaborate of course, but this should explain how a key exchange is possible between two entities with an eavesdropper watching the whole conversation, but unable to use that for an MITM attack.

You have the following:
- a Server S with a public - private key pair - Spub and Spri
- a (randomly generated) symmetric key (K) used to encrypt the data for your secure session
- K is what we need to keep secret. As long as K is secret, your data remains safe.
- content encrypted with Spub can only be decrypted using Spri

Now, imagine the following sequence:
1. Client requests a secure session from the server
2. Server responds by sending across it's public key (Spub)
4. Client generates a random symmetric key (K) to use for this session
5. Client encrypts K using Spub (lets call this result K-Spub)
6. Client sends K-Spub back to the server
7. Server uses Spri to decrypt K-Spub (so now the server knows K)
8. Client and server encrypt everything using K for the rest of the session
9. Anybody who intercepted the entire conversation cannot know K (because they didn't know S-Pub)

I've left out a lot of stuff -- there are tons of attack vectors left open in that explanation (for example, how does the client know that the correct server is responding with it's Spub as opposed to an MITM. How does the server know it's the original client as opposed to an MITM. But using this technique and digital signatures you can add layers to address these questions, until you get to the final protocol.

[pjk0]

This looks like a pretty big deal, as SSL and TLS (as a protocol - not a specific implementation) were pretty much free of any major security issues for a pretty long time.

I was also glad to see that they did the right thing by contacting and working with major affected vendors prior to publishing this. So while there may not be a quick/easy fix, at least they didn't go completely for the quick glory and catch everyone by surprise with this.

WIll be interesting to see how this progresses.

[Lerianis3]

True..... this is going to hurt online banking, merchants, etc. quite a bit if it doesn't have an easy fix, which it apparently doesn't.
Oh, and most times, they do NOT 'go for the quick glory'. When businesses say that someone has, they are usually being facetious because they were told months or weeks ahead of the 'open announcement' that these problems were there and to fix them.

[JoeF2]

"this is going to hurt online banking, merchants, etc. quite a bit"

No, it is not. They don't use client authentication (you don't need to have a certificate to do online banking, only your bank has a certificate), so they don't need renegotiation.
Client auth is used more in things like Web services.

[sam99999999]

@JoeF2 You're exactly right. This vulnerability affects services like the ones Adobe Live Cycle Rights Management offers that purport to authenticate users before decrypting cloud-based documents. So it's still a fairly serious issue, but mostly affects corporations rather than consumers doing online banking.

[laudk]

@dhavleak

I'm sure you meant (because they didn't know SPri) and not
"(because they didn't know S-Pub)" ?

[networksniff]

i make sure this public intentions could really make more use of flaws to rebuild a stuff in elite manner.
As TSL,SSL flaws could take back eCommerce biz to early man acts.So need to act up on this for many more reasons.

sekhar
networksniff[dot]com