Re: [TLS] Rizzo claims implementation attach, should be interesting
Marsh Ray <marsh@extendedsubset.com> Tue, 20 September 2011 02:28 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B963721F8AE1 for <tls@ietfa.amsl.com>; Mon, 19 Sep 2011 19:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.578
X-Spam-Level:
X-Spam-Status: No, score=-2.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGGbyIDufYva for <tls@ietfa.amsl.com>; Mon, 19 Sep 2011 19:28:56 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by ietfa.amsl.com (Postfix) with ESMTP id C8D7E21F8ADC for <tls@ietf.org>; Mon, 19 Sep 2011 19:28:56 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1R5q7F-0007Hf-0d; Tue, 20 Sep 2011 02:31:21 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 7816D606C; Tue, 20 Sep 2011 02:31:18 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18iKor3Ez4FZEQqq4ENuFSZPmQdsg5iMVw=
Message-ID: <4E77FAF6.90707@extendedsubset.com>
Date: Mon, 19 Sep 2011 21:31:18 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13
MIME-Version: 1.0
To: mrex@sap.com
References: <201109200053.p8K0r5Pv012913@fs4113.wdf.sap.corp>
In-Reply-To: <201109200053.p8K0r5Pv012913@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Steingruebl Andy <asteingruebl@paypal-inc.com>, tls@ietf.org
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2011 02:28:57 -0000
On 09/19/2011 07:53 PM, Martin Rex wrote: > > It seem to be a huge hype an exxageration of the problem. > There is *no* problem in SSLv3 or TLSv1.0. This particular attack > is a very clear "Man-in-the-Browser" attack enabled solely by the > entirely braindead (lack-of) security in common Web Browsers. > > Since the attack happens entirely at the browser, it should IMHO > the browser's duty to fix this. Last I checked, the TLS RFC stated explicitly that the protocol defended explicitly against man-in-the-middle attacks. It did not say it defended against "blockwise-adaptive chosen-plaintext" attacks. But why split hairs over it? It breaks a basic security properties of the system even if the application designer has done everything according to the recommendations in the spec. Since when did "trusted script only" in the application become a requirement for transport layer security? > Potential server-side mitigation of the problem: > > - disable HTTP request pipelining (aka Connect: keep-alive) Expensive. > - avoid CBC-based cipher suites (at least when SSLv3 or TLSv1.0 > is negotiated), and use RC4-128 instead. Does TLS's use of RC4 still take the first bytes after initialization with the key? Or does it discard the proper amount? I believe there was a mitigation put in place by OpenSSL: sending an empty (just padding) message before each app data message. The document at eprint.iacr.org/2006/136 suggests that this could be a server-side only change. I don't see how that would work since the session cookie recovery attack is clearly happening on the client->server channel. I read somewhere that this mitigation was off by default in OpenSSL because it some software (an old MSIE IIRC). Does anyone believe there would be support for a TLS 1.0 Hello extension that could compatibly negotiate the use of empty messages in each direction as a mitigation for this attack? I've not been told the details of Duong and Rizzo's attack and haven't seen "the BEAST" in action yet, so I'm not sure if that would be sufficient to fix CBC in TLS 1.0. I am slightly annoyed at these guys for dribbling out the information one hint at a time like this. - Marsh
- Re: [TLS] Rizzo claims implementation attach, sho… David Wagner
- [TLS] Rizzo claims implementation attach, should … Tim Dierks
- Re: [TLS] Rizzo claims implementation attach, sho… Peter Gutmann
- Re: [TLS] Rizzo claims implementation attach, sho… =JeffH
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Steingruebl, Andy
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Phillip Hallam-Baker
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Geoffrey Keating
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… =JeffH
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yngve N. Pettersen
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yngve N. Pettersen
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir