Re: [TLS] TLS or HTTP issue?

Marsh Ray <marsh@extendedsubset.com> Fri, 06 November 2009 18:02 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B80C13A6944 for <tls@core3.amsl.com>; Fri, 6 Nov 2009 10:02:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.155
X-Spam-Level:
X-Spam-Status: No, score=-2.155 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASlKuBZR5NQt for <tls@core3.amsl.com>; Fri, 6 Nov 2009 10:02:30 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 50B5A3A68F5 for <tls@ietf.org>; Fri, 6 Nov 2009 10:02:30 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N6T9B-0002GQ-It for tls@ietf.org; Fri, 06 Nov 2009 18:02:53 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 9553B667B for <tls@ietf.org>; Fri, 6 Nov 2009 18:02:52 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX180QPzzGy1cqTK4tE/5hRhFFFYiBQL0ZUM=
Message-ID: <4AF464CC.7000800@extendedsubset.com>
Date: Fri, 06 Nov 2009 12:02:52 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <4AF33D07.7040100@gnutls.org> <20091106172323.GY1105@Sun.COM> <20091106174924.GL19125@gradx.cs.jhu.edu>
In-Reply-To: <20091106174924.GL19125@gradx.cs.jhu.edu>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLS or HTTP issue?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2009 18:02:32 -0000

Nathaniel W Filardo wrote:
> Forgive me if I'm mistaken, but as far as I understand (one of) the
> attack(s), it relies on an application protocol (e.g. HTTP) request being
> 'fragmented' across the renegotiation (thus the need for, in HTTP, the
> attacker-provided X-Swallow-This: header to absorb the client's GET)...

I expect there will be others (far more skilled than I in the art of
HTTP abuse) improving on that in the coming days. Steve and I just
developed a few examples to demonstrate the severity of the problem.

This capability has been characterized as a "blind plaintext prefix
injection attack". I don't think many protocols have been designed to be
resilient against that kind of thing, those that are not vulnerable are
that way by accident. HTTP is particularly susceptible, but I'm sure
many more protocols will be found to be exploitable.

- Marsh