09/29/2011

ssl tsl 1.0 attack - facts and details that matter

First the targeted website should have a xss vulnerability (so for those thinking that xss vulnerabilities are just stupid mistakes that shouldn't be taken seriously, it is proven again that every vulnerability can become a big vulnerability if it is combined with other 'small' vulnerabilities or mistakes). Eliminating the xss vulnerability makes it harder for this kind of exploit, but maybe other ways will be discovered, who knows.

Financial websites, online shops and other sites with personal or financial information shouldn't have any xss mistake.

If you are securitywise you activate the xss alerts in your browsertools

secondly it is a middle in the man target which means that there should be possiblities on the client pc or on a part of the network to intercept all the traffic. Hardening the network between the clients and your server (control your own dns servers for example) and making explicit securitydemands on client PC's who want to log in are two ways to limit the windows of opportunity.

thirdly the victim will not see anything - no alert - nothing. so awareness will not help you.

fourth you will have to update all the browsers in your network to the latest version (and sometimes you will have to change to another browser if you can't update the os (xp to 7). Which means that the number of users of Chrome (fixed) and Firefox (coming weeks) will increase because of that. Even if you should have updated to windows7 if you are still on xp.

if you aren't ready to do that (because some internal applications are specifically build for older versions of IE, you can do the following (with some scripting on all the machines)

"If you do want to change the cipher defaults, in Windows world, you will need to make some registry changes. 

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

This key and subkeys control how the ciphers are used.

This article http://support.microsoft.com/kb/245030 explains how to change protocols and weak cyphers (make sure you test in a test bed first).
http://isc.sans.edu/diary.html?storyid=11635"

Microsoft is preparing a specific update to be released soon.

fifth if are developing a website it is better to seperate http and https sites totally and not to mix http and https contents and functionality on the same site. Don't look so surprised, I know most banks and sites do this, but this is a known major vulnerability that constructs a window of opportunity for attacks like this one.

smart sites put everything now on https and put an ssl-accelerator hardware before or on their hostingplatform

Permalink | Comments (0) | |  Print |  Facebook | | | | | security | No free internet without a free society

Post a comment