09/20/2011

say farewell to tls-ssl 1.0 before friday after which it is broken and attacked

https://threatpost.com/en_us/blogs/new-attack-breaks-conf...

they use the Beast which is a man in the middle attack tool against ssl-Tls

they have it installed on a Man in the Middle position (proxy for example - free proxy anyone :))

when someone logs into a bank (for example) he will receive a cookie and than the beast software that is placed on a machine that intercepts all traffic and forwards it does the following

* injects code into the browser by an iframe ad that is on the page (or inserted as for example a pop-up by the man-in-the-middle machine) or by injecting the javascript into the browser directly

* the injected code is a sniffer that will intercept all https traffic and will intercept the encrypted cookies (from the browser)

* he will grab and decrypt the cookie WITHIN the ssl protocol and has that way the login details for that site and as long as the browser isn't closed the attack can take place (working in another tab. And they would need max 5 minutes to decrypt it.

It is a vulnerability in tls 1.0 that has been known since long-time but for which no exploit was available untill now and that is the case with thousands of vulnerabilities that aren't fixed because there is no exploit for the moment

what about your secure webapplications ?

Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications."
https://threatpost.com/en_us/blogs/new-attack-breaks-conf...

 

okay so let's now get down to earth with practical things

1. For the surfers. Never do other things when you are doing online confidential stuff. Close the browser afterwards immediately. Use the latest version of your software and if you are experienced enough, use noscript and other limitation so that no code can be loaded in your browser. Personally I think it is necessary that browsers develop a 'high secure mode' that will automatically go into high security and will block all things that are not needed to fulfill the ssl sessions. The advantage is also that the secure services can demand that the browsers are set to high-secure mode and with specific updates they can only be updated when you are in high-secure mode.

2. for the webdesigners : it is much better to have a blanco loginpage with no scripts and no ads than a login that is cluttered on the homepage with masses of ads and scripts

3. For the server managers : TLs 1.0 may be nearing its end and so it is time to upgrade to TLs 1.1 which may demand some adaption and upgrades in browsers (although it is not sure if the exploit will NOT work in tls 1.1. that is the friday evening or saturday morning question) many online webservices will break down and will have to be updated, but hey that has been coming since long time. If you want to be futureproof you go for the highest standards only and ask your users to upgrade

and for next week : expect patches, chrome is already patched they say and expect others to follow soon

oh and for the hype : no ssl is NOT broken and yes ssl is still the best solution it is only that one old version of a protocol of tls is broken, but that is evolution and normal, it is only because nobody prepared for this as they should have done that it will ask a revolution (of updates and patches) to find a solution for this for so many webservices and users.

but we have gone through the regeneration ssl attack and the patches (not installed everywhere) so we will survive that one for now

Permalink | |  Print |  Facebook | | | | Pin it! |

Post a comment