Friday, April 16, 2010

Media Hype: Res Ipsa Loquitur

A. Padgett Peterson, P.E., MSSM, CISSP, IAM/IEM


Whenever an article on encryption appears in the mass media, I can be sure of two things:

1) there will be a fundamental flaw in the article
2) only an expert in the field will be able to spot it

The article that appeared on November 5th, 2009 on ZDNET UK http://news.zdnet.co.uk/security/0,1000000189,39860592,00.htm?tag=mncol;txt is no exception. Titled “Zero-day flaw found in web encryption”, my first thought was that someone had found a way to quickly factor products of very large primes (the assumption that it cannot be done faster than a significant portion of the lifetime of the universe is the basis of both major asymmetric algorithms, Diffie-Hellman and RSA).

My second thought was “Right”.

As usual, the article is a bit vague about exactly what was discovered other than it affected SSL/TLS, the foundational protocols for secure web exchanges: “The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user.”

On seeing that my thought was a Man-In-The-Middle attack on SSLv2 (server side authentication only) but that has been known for a long time. Unfortunately, few web sites use the more secure SSLv3 since that requires the client to have a certificate also; most merchants just consider a valid credit card number to be sufficient client side authentication.

The good news is that few attackers try to mount MITM attacks because you only get one card number at a time. Why bother with that when millions are exposed and available on not so well protected sites? PCI-DSS is making a dent in the problem but even that does not tackle the issue of client certificates, American Express tried in the last century with the “Blue” card but made little headway.

The actuality is found in a research paper referenced deep into the article: “[TLS] MITM attack on delayed TLS-client auth through renegotiation” ( http://www.ietf.org/mail-archive/web/tls/current/msg03928.html ).

However the paper refers to an attack on SSLv3/TLS and not just v2. The two salient paragraphs spell it out:
1) “(During plain text initialization) “If a TLS client with a promising TLS client cert connects (sess1), then the rogue TLS server establishes an anonymous TLS connection (sess2) with the victim MS IIS server and sends the request it wants performed (URL with command parameters) to the victim MS IIS server”
2) “The ChangeCipherSpec is the last Handshake message on each direction that is decrypted/encrypted under the original sess1/sess2 settings, for all further communication, the rogue TLS server (MITM) will forward the incoming network data 1:1 to the other side (because that is protected under keys known only to the TLS client and to the victim MS IIS.”

In other words, the attack is based on being able to establish a MITM position and send a plain text request to the web server during TLS/SSL negotiation. It is necessarily a blind request since by element (2) the MITM will not be able to read the response.

It is a surprise that the server (here IIS is specifically mentioned) would execute such a command but then we have been often surprised by what certain web servers will respond to. Cross Site Scripting is probably the best known vulnerability introduced by server coding.

The bad news is that such an attack would not be reflected in the certificates used (the padlock in the browser). Only a TraceRoute would reveal what is happening.

After reading the article, my parting thought was there are a lot of easier ways to do the same thing, particularly ones that do not require establishing a MITM position. For web instances I have a lot more concern about the target=”_blank” construct.

However, the bottom line is that once again the media chose hype over facts. The attack has nothing to do with encryption and is against a specific protocol implementation issue that may or may not exist in all servers.

The web is still relatively safe for commerce. For now.

("Res Ipsa Loquitur" means “The thing speaks for itself,” a legal construct that refers to situations when it's assumed that a person's injury was caused by the negligent action of another party because the accident was the sort that wouldn't occur unless someone was negligent. (http://www.lectlaw.com/def2/q035.htm )
***************************************************************************

Last Week’s Quiz Question

Question: What Norwich University sports team won its respective NCAA Championship in 2010?

Answer: Men’s Hockey (Women’s Hockey also went to the title game, but lost)

Winner: Andrey N. Chernyaev

This Week’s Question
What was the original name of Norwich University? (Question provided by Matt Bambrick).

Please send all answers to: jorlando@norwich.edu

Current competition standings:

Matt Bambrick: 3 wins
Andrey N. Chernyaev: 3 wins
Dianne Tarpy: 2 wins
Sam Moore
Autumn Crossett
Gil Varney, Jr.
Glen Calvo
Thomas Reardon
Sherryl Fraser
Srinivas Chandrasekar
Marc Ariano
Linda Rosa
Joanna D'Aquanni
Bill Lampe
Srinivas Bedre
Christian Sandy.

No comments:

Post a Comment