« Authentication Gap in TLS Renegotiation
Assorted news »

Blog back

OK, so the blog is back. Just for reference, here’s the content from the temporary static page:

Renegotiating TLS

Marsh Ray

Steve Dispensa

PhoneFactor, Inc.

v1.1 November 4, 2009

Summary

Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.

There are three general attacks against HTTPS discussed here, each with slightly different characteristics, all of which yield the same result: the attacker is able to execute an HTTP transaction of his choice, authenticated by a legitimate user (the victim of the MITM attack). Some attacks result in the attacker-supplied request generating a response document which is then presented to the client without any certificate warning or other indication to the user. Other techniques allow the attacker to forward or re-purpose client certificate authentication credentials.

Notes

2009-11-06 15:25 -600 Michael D’Errico has an implementation of draft-rescorla-tls-renegotiate at https://www.mikestoolbox.net . Interop test!

2009-11-06 12:08 -600 I’ve finally gotten around to registering on Twitter. Status updates are happening faster, will be putting them there (and possibly here, too).

2009-11-05 18:24 -600 Eric Rescorla has posted the text for an Internet Draft that we are proposing as a fix: msg03963.html

2009-11-05 17:56 -600 Client certificate authentication is not required for vulnerabilities to be present.

The full document in pdf format: Renegotiating_TLS.pdf

Some helpful protocol diagrams: Renegotiating_TLS_pd.pdf

Packet captures: renegotiating_tls_20091104_pub.zip

This entry was posted on Monday, November 30th, 2009 at 8:02 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.