Expert calls SSL protocol vulnerability a non issue

By Robert Westervelt, News Editor 05 Nov 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Two security researchers are calling for an industry-wide response to fix a serious vulnerability they discovered in the SSL protocol, used widely on the Internet for secure data transfers. But a noted network security researcher says the vulnerability has very little impact on most users and will not result in data loss.

Moxie Marlinspike, a security researcher who has discovered high- profile security flaws, said the vulnerability has extremely limited value in practice. The attack is not designed to intercept traffic. Instead code is injected revealing nothing to the attacker, Marlinspike said.

"It has virtually no impact on the majority of users in the common case of how SSL/TLS is deployed," Marlinspike wrote in an email message. "It doesn't affect your webmail, online banking or online shopping experience."

The two researchers who discovered the problem, Marsh Ray and Steve Dispensa of Overland Park, Kan.-based security firm PhoneFactor Inc., are calling for an industry-wide fix to patch and protect Web servers, database and mail servers, as well as Web browsers and other tools that use the technology. In an interview with SearchSecurity, Ray said the potential is there for an attacker to mount a man-in-the-middle attack, sniffing Internet traffic to steal sensitive data.

"All clients and servers that speak SSL/TLS will need a patch of some form or the other," Ray said. "The security benefits of SSL/TLS will not be fully restored until both the client and server sides of the communications are patched, and at some point in the future people will need to decide if they no longer want to talk to an unpatched client or server."

Marlinspike, who demonstrated his SSLStrip tool in February at the Black Hat DC briefings, said the attack is dependent on client-certificate authentication, a rarely deployed authentication protocol designed to make users contact an SSL server to authenticate instead of, or in addition to a password.

"Basically, in the context of HTTP, this is a non-issue and is no different than much more straightforward [cross-site request forgery] CSRF techniques," Marlinspike said. "It's possible that this attack might actually be something other than academic for protocols other than HTTP, but there have yet to be any proposals for how it might be."

Ray said he has been able to reproduce the problem in a way that did not involve client- certificate authentication, although the technique is much more difficult. He said the presence of client certificates makes mitigation strategies much more difficult. It's unclear, he said, how many websites use client- certificate authentication for renegotiation.

"Web services and SOAP type connections tend to use client certificates a lot," Ray said. They're at the core of a lot of smart card systems as well."

The attacker must first find a way in via the network, such as an insecure wireless access point or a compromised router. Once in, the vulnerability allows the attacker to inject himself into the authenticated SSL communications path and execute commands, the researchers said.

Karsten Nohl, a security researcher who was part of a team that broke the crypto algorithm in the Mifare Classic RFID-based smart card, called the flaw serious. He stopped short of calling it a "Kaminsky-grade" threat for Internet users.

"Most people are already not checking for the padlock symbol, but [man-in-the-middle]is still hard," Nohl said. Fixing the bug, however, will require the SSL stacks in hundreds of millions of automated networked devices that automatically exchange data."

The bug can be expected to be around for many years giving cybercriminals a chance to create a different attack scenario, said Nohl who works for security consultancy H4rdw4re LLC.

"Companies and agencies that already control parts of the Internet were incidentally given a large abuse potential through this vulnerability," he said.

The two researchers have been working with ICASI (Industry Consortium for Advancement of Security on the Internet) to coordinate an industry- wide fix for the problem since they discovered the flaw in August. The vulnerability became publicly known on Wednesday when a member of an Internet Engineering Task Force (IETF) working group independently discovered the issue and posted it to an IETF mailing list.

Ray said he discovered the flaw during code review on some software used to implement the Phonefactor two-factor authentication service. He traced it down through several layers and developed a working exploit. On Sept. 29, he presented his findings to industry consortium at Google's campus in Kirkland, Wash.

"It is complex and tricky to implement so I didn't want to ring alarms until I was absolutely sure of what I had," Ray said. "We tried very hard to get the right people in a room and give them time to hammer out solution before the vulnerability was made public.

Tags: Virtual Private Network Security,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtual Private Network Security DNSSEC deployment challenges can be overcome How to integrate the security of both physical and virtual machines Companies tackle iPhone security with remote access features Q&A: Paul Dorey on DLP, deperimeterisation How to patch Kaminsky's DNS vulnerability Network telescopes: a vital tool in beating threats Covert channels could be funneling data out of your company Network access control will save public money in Nottingham Jericho Forum discusses deperimeterisation, COA guidelines Reading FC keeps email under control Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary