Re: [TLS] TLS renegotiation issue

Michael D'Errico <mike-list@pobox.com> Thu, 05 November 2009 18:49 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CDAC3A68E0 for <tls@core3.amsl.com>; Thu, 5 Nov 2009 10:49:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.582
X-Spam-Level:
X-Spam-Status: No, score=-2.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIvT+QH2rVtn for <tls@core3.amsl.com>; Thu, 5 Nov 2009 10:49:27 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 14D8C3A63EB for <tls@ietf.org>; Thu, 5 Nov 2009 10:49:26 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 361677525F; Thu, 5 Nov 2009 13:49:49 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=Q3IZ0M3oM+R2 gncw8iXz3UPIo+4=; b=In9oLdQ7tyglRUsmB3MGjui3DBhK3bODuFk0vCALPj1B x9zButpgaArniNPgJgGs/LHK7gYx+F+ZXafOa2DMuPQA6Hel6IonUawn/K1Z1h2h +uottO+nMiNpr5e91sxcscT/oIjePQHnXZzrKuYmKJXUQRqkjpRh05YFf6kb/Og=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=FvBbCn ZiDRf6vjtM7b4Nslit0wEJ/WkvMKlYRsDALSALy+ZymSBUwNt7UmMQc9FZnBvr9m sV94tShOqbTyRAVpwrhe8k5pEvSQAvVvECN5SRYHzgCmN+1m1XLSzOUeeHTZJhxn SoPnl6aBQOBAR6aqZZgJJzDqXciuBP5VL4kDE=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 2583B7525E; Thu, 5 Nov 2009 13:49:48 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 3ABB17525C; Thu, 5 Nov 2009 13:49:46 -0500 (EST)
Message-ID: <4AF31E77.4010602@pobox.com>
Date: Thu, 05 Nov 2009 10:50:31 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Marsh Ray <marsh@extendedsubset.com>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <054CC553-7D2E-435E-ADE3-4FBE7B2DB3F8@rtfm.com> <4AF24942.2090809@extendedsubset.com>
In-Reply-To: <4AF24942.2090809@extendedsubset.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: FE03A996-CA3B-11DE-AB18-1B12EE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS renegotiation issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2009 18:49:28 -0000

Excerpt from the PDF:

 > char *req =
 >   "GET /highsecurity/index.html HTTP/1.1\r\n"
 >   "Host: example.com\r\n"
 >   "Connection: keep-alive\r\n"
 >   "\r\n"
 >   "GET /evil/doEvil.php?evilStuff=here HTTP/1.1\r\n"
 >   "Host: example.com\r\n"
 >   "Connection: close\r\n"
 >   "X-ignore-what-comes-next: ";

The attack works because the last line is unterminated to effectively
comment out the client's GET request.

A possible counter to this attack is for the client to send two
CRLF's prior to its actual request.  This will separate the evil
request from the actual one containing the Cookie.  RFC 2616
prohibits this, but suggests that HTTP servers ignore extraneous
CRLF's due to buggy HTTP/1.0 clients.  In practice, HTTP servers
I've tested ignore them.

Mike



Marsh Ray wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Just out:
> 
> http://extendedsubset.com/?p=8
> 
> 
> Eric Rescorla wrote:
>> I should also mention his colleague from phonefactor, steve dispensa. 
> 
> And I should mention that EKR, as well as some others who frequent this
> group, have been invaluable in this process so far.
> 
> I should mention it, but I didn't because I've deliberately left out
> names where I didn't have a chance to touch base with the person first.
> 
> Anyway, I hope this info proves to be valuable and timely for the
> Hiroshima meeting.
> 
> By the way, I'm available if I can help answer questions on this list,
> on the phone, or direct email marsh@extendedsubset.com .
> 
> - - Marsh
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> 
> iEYEARECAAYFAkrySUAACgkQWChJ3x422/KR/gCfcoAZMgD4RsXVUtLinCSDYWnk
> 14YAnAmtQWE64+61Z0y5ioh/NM1DoPyz
> =YVva
> -----END PGP SIGNATURE-----