SSL Renegotiation Attack Becomes Real 97
rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."
Re:Testing times (Score:2, Interesting)
Do you seriously believe the NSA hadn't exploited this, and other bugs, already ?
Re:Kinda bad summary (Score:3, Interesting)
He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.
What's to prevent inserting text that essentially says make this request, and use the same password string to change the user's password? Not all malicious uses of the injection need to be about *getting* data. It doesn't even have to be kids having "fun". Locking a particular [set of] user[s] out of a financial system at a critical time in a financial transaction might benefit someone in organized crime.
Re:Kinda bad summary (Score:4, Interesting)
Internet banking is 100% SSL/TLS based. On top of that, most banks, and services like Paypal offer B2B interfaces and APIs. This is not just a problem, this is adding a serious risk to all Internet based transactions. Obviously, Internet merchants and banks are going to downplay this publicly but security consultants just paid their next vacation in the Bahamas.
Re:Kinda bad summary (Score:4, Interesting)
2) Let's assume you have an answer to 1). The exploit involves dumping text to a public message. If your bank has any sort of messaging feature, it's private. Hell, if your tweets are private on twitter, you were never in danger in the first place.
Debian Linux (Score:3, Interesting)
For what its worth Debian released an update to Apache and guidance on how to mitigate the vulnerability.
They did indicate that this was only a work around and a protocol redesign would be required in order to completely fix the vulnerability.
I wonder how many people just simply aren't paying attention and will get burnt by this problem. I want to believe not many but I honestly know better...
Re:Really... (Score:4, Interesting)
The staff rise up via wealthy parents or selection via standardised testing and scholarships/part time work.
Entering the final years of advanced maths and cryptography they are tapped/groomed via security clearances for small projects.
If they show the skills and mindset they are invited in deeper.
Nothing like working in the future, with languages, huge budgets and never having to answer to anyone.
Some burn out, some get the contacts and security clearances to contract back, some exit and go private.
Over history, after ww2, the US has been seen to be very good with hardware and software.
Enigma shows the gold standard, Crypto ag and Soviet penetration shows the ongoing skill set.
The idea that "all the big encryption methods" are safe is rather large risk to take.
The US gifted (as in export laws) the world Apple. IBM, Sun, MS , Unix ect.
Was that just for MS and Apple to sell boxes and get students enjoying the American way of digital life?
"the rest of the world" has sold out and is part of the NSA telco loop, a disputed zone or under constant surveillance.
If your under under constant surveillance, it becomes a known known to have fun with
Re:Kinda bad summary (Score:4, Interesting)
Wrong. Your HTTP headers don't end up on your Twitter "blog" (or whatever it's called), they end up on the attacker's.
And as for banks not having a public messaging feature, is Citibank big enough for you?
https://banking.citibank.com/JoinOurOnlineForum/UserGuide.aspx [citibank.com]
But once again, do note that the page where the user's credentials end up doesn't need to be public; it just has to be accessible by the attacker.