Re: [TLS] MITM attack on delayed TLS-client auth through renegotiation

Marsh Ray <marsh@extendedsubset.com> Wed, 04 November 2009 22:13 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FDE23A68B3 for <tls@core3.amsl.com>; Wed, 4 Nov 2009 14:13:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.283
X-Spam-Level:
X-Spam-Status: No, score=-0.283 tagged_above=-999 required=5 tests=[AWL=2.317, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtNo6Ilk6cYy for <tls@core3.amsl.com>; Wed, 4 Nov 2009 14:13:24 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 9DC9F3A688D for <tls@ietf.org>; Wed, 4 Nov 2009 14:13:24 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N5o6s-000DG5-7Q for tls@ietf.org; Wed, 04 Nov 2009 22:13:46 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 36AAD6674 for <tls@ietf.org>; Wed, 4 Nov 2009 22:13:45 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+QxlZ3re26BRwjx9H9aTGUYmSPS3ctKGo=
Message-ID: <4AF1FC99.3040204@extendedsubset.com>
Date: Wed, 04 Nov 2009 16:13:45 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: tls@ietf.org
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] MITM attack on delayed TLS-client auth through renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2009 22:13:51 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello TLS,

I can confirm the severity of the TLS MITM bug. I've had a working
exploit going since the end of August.

Steve Dispensa and myself put together (with help of many of course) an
industry working group to address it. I think we were successful in
producing a preliminary fix, which vendors are in various stages of
testing and deployment.

We'd agreed to responsibly delay disclosure to give the industry time to
coordinate the fix. I've watched with excitement as the TLS Channel
Binding work uncovered it. Kudos to Martin Rex for his description of
the basic problem.

I'll be putting the bulk of our research to this point on my blog this
afternoon.
http://extendedsubset.com/
This will include documentation, diagrams, packet captures...pretty much
everything short of exploit code.

I suspect that some relevant industry groups will be releasing some
information.

Also, the company I work at, PhoneFactor, will probably be doing some
type of informational release soon.

Regards,

Marsh Ray
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkrx/JgACgkQWChJ3x422/LxfwCeKc/UegM9/HSdtv8ymCDnNeOd
SI8AnAnVLgwht3K21aHSlAUrjow5QPh+
=dMtp
-----END PGP SIGNATURE-----