Dennis Fisher and DigiCert’s Jeremy Rowley discuss the company’s certificate issuance for Facebook’s .onion site, the challenge of key protection in today’s environment and what the near future holds for PKI.
Tag Archives: Cryptography
NSA Director Says Agency Shares Vast Majority of Bugs it Finds
When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs […]
Google Releases Nogotofail Tool to Test Network Security
The last year has produced a rogues’ gallery of vulnerabilities in transport layer security implementations and new attacks on the key protocols, from Heartbleed to the Apple gotofail flaw to the recent POODLE attack. To help developers and security researchers identify applications that are vulnerable to known SSL/TLS attacks and configuration problems, Google is releasing a […]
Facebook Creates .Onion Site; Now Accessible Via Tor Network
Facebook has entered the hidden services with a new .onion site that will let Tor Network users sign into the world’s (second) most populace social network.
Microsoft Plans to Disable SSLv3 in IE, All Online Services
Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company’s online services soon. The security and utility of SSLv3 has been an issue for a long time, but it came into sharper focus earlier […]
Google Adds Hardware Security Key For Account Protection
Google is introducing an improved two-factor authentication system for Gmail and its other services that uses a tiny hardware token that will only work on legitimate Google sites. The new Security Key system is meant to help defeat attacks that rely on highly plausible fake sites that are designed to capture users’ credentials. Attackers often go […]
EFF, Snowden Dispute FBI Claims on Device Encryption
The FBI has long said that the use of strong encryption software hampers the bureau’s investigations and makes life easier for criminals. Current FBI Director James Comey continued this line of reasoning in a speech on Oct. 17, saying that the use of crypto could lead the country to a dark place, and the EFF […]
Can SSL 3.0 be fixed? An analysis of the POODLE attack.
SSL and TLS are cryptographic protocols which allow users to securely communicate over the Internet. Their development history is no different from other standards on the Internet. Security flaws were found with older versions and other improvements were required as technology progressed (for example elliptic curve cryptography or ECC), which led to the creation of newer versions of the protocol.
It is easier to write newer standards, and maybe even implement them in code, than to adapt existing ones while maintaining backward compatibility. The widespread use of SSL/TLS to secure traffic on the Internet makes a uniform update difficult. This is especially true for hardware and embedded devices such as routers and consumer electronics which may receive infrequent updates from their vendors.
The fact that legacy systems and protocols need to be supported, even though more secure options are available, has lead to the inclusion of a version negotiation mechanism in SSL/TLS protocols. This mechanism allows a client and a server to communicate even if the highest SSL/TLS version they support is not identical. The client indicates the highest version it supports in its ClientHello handshake message, then the server picks the highest version supported by both the client and the server, then communicates this version back to the client in its ServerHello handshake message. The SSL/TLS protocols implement protections to prevent a man-in-the-middle (MITM) attacker from being able to tamper with handshake messages that force the use of a protocol version lower than the highest version supported by both the client and the server.
Most popular browsers implement a different out-of-band mechanism for fallback to earlier protocol versions. Some SSL/TLS implementations do not correctly handle cases when a connecting client supports a newer TLS protocol version than supported by the server, or when certain TLS extensions are used. Instead of negotiating the highest TLS version supported by the server the connection attempt may fail. As a workaround, the web browser may attempt to re-connect with certain protocol versions disabled. For example, the browser may initially connect claiming TLS 1.2 as the highest supported version, and subsequently reconnect claiming only TLS 1.1, TLS 1.0, or eventually SSL 3.0 as the highest supported version until the connection attempt succeeds. This can trivially allow a MITM attacker to cause a protocol downgrade and make the client/server use SSL 3.0. This fallback behavior is not seen in non HTTPS clients.
The issue related to the POODLE flaw is an attack against the “authenticate-then-encrypt” constructions used by block ciphers in their cipher block chaining (CBC) mode, as used in SSL and TLS. By using SSL 3.0, at most 256 connections are required to reliably decrypt one byte of ciphertext. Known flaws already affect RC4 and non block-ciphers and their use is discouraged.
Several cryptographic library vendors have issued patches which introduce the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV) support to their libraries. This is essentially a fallback mechanism in which clients indicate to the server that they can speak a newer SSL/TLS versions than the one they are proposing. If TLS_FALLBACK_SCSV was included in the ClientHello and the highest protocol version supported by the server is higher than the version indicated by the client, the server aborts the connection, because it means that the client is trying to fallback to a older version even though it can speak the newer version.
Before applying this fix, there are several things that need to be understood:
- As discussed before, only web browsers perform an out-of-band protocol fallback. Not all web browsers currently support TLS_FALLBACK_SCSV in their released version. Even if the patch is applied on the server, the connection may still be unsafe if the browser is able to negotiate SSL 3.0
- Clients which do not implement out-of-protocol TLS version downgrades (generally anything which does not speak HTTPS) do not need to be changed. Adding TLS_FALLBACK_SCSV is unnecessary (and even impossible) if there is no downgrade logic in the client application.
- The TLS/SSL server needs to be patched to support the SCSV extension – though, as opposed to the client, the server does not have to be rebuilt with source changes applied. Just installing an upgrade TLS library is sufficient. Due to the current lack of browser support, this server-side change does not have any positive security impact as of this writing. It only prepares for a future where a significant share of browsers implement TLS_FALLBACK_SCSV.
- If both the server and the client are patched and one of them only supports SSL 3.0, SSL 3.0 will be used directly, which results in a connection with reduced security (compared to currently recommended practices). However, the alternative is a total connection failure or, in some situations, an unencrypted connection which does nothing to protect from an MITM attack. SSL 3.0 is still better than an unencrypted connection.
- As a stop-gap measure against attacks based on SSL 3.0, disabling support for this aging protocol can be performed on the server and the client. Advice on disabling SSL 3.0 in various Red Hat products and components is available on the Knowledge Base.
Information about (the lack of ongoing) attacks may help with a decision. Protocol downgrades are not covert attacks, in particular in this case. It is possible to log SSL/TLS protocol versions negotiated with clients and compare these versions with expected version numbers (as derived from user profiles or the HTTP user agent header). Even after a forced downgrade to SSL 3.0, HTTPS protects against tampering. The plaintext recovery attack described in the POODLE paper (Bodo MThis POODLE Bites: Exploiting The SSL 3.0 Fallback, September 2014) can be detected by the server and just the number of requests generated by it could be noticeable.
ller, Thai Duong, Krzysztof Kotowicz,Red Hat has done additional research regarding the downgrade attack in question. We have not found any clients that can be forcibly downgraded by an attacker other than clients that speak HTTPS. Due to this fact, disabling SSL 3.0 on services which are not used by HTTPS clients does not affect the level of security offered. A client that supports a higher protocol version and cannot be downgraded is not at issue as it will always use the higher protocol version.
SSL 3.0 cannot be repaired at this point because what constitutes the SSL 3.0 protocol is set in stone by its specification. However, starting in 1999, successor protocols to SSL 3.0 were developed called TLS 1.0, 1.1, and 1.2 (which is currently the most recent version). Because of the built-in protocol upgrade mechanisms, these successor protocols will be used whenever possible. In this sense, SSL 3.0 has indeed been fixed – an update to SSL 3.0 should be seen as being TLS 1.0, 1.1, and 1.2. Implementing TLS_FALLBACK_SCSV handling in servers makes sure that attackers cannot circumvent the fixes in later protocol versions.
Mobile Device Encryption Could Lead to a ‘Very, Very Dark Place’, FBI Director Says
FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law […]
OpenSSL Releases Patch for POODLE Attack
The OpenSSL Project has released a new version of the encryption software, which patches several security flaws, including the bug that is exploited by the POODLE attack on SSLv3. The updated versions of OpenSSL come just a couple of days after a trio of researchers at Google revealed the POODLE attack, which allows an attacker to […]