SSL Holes Found In Critical Non-Browser Software 84
Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."
Re:Death knell? Really? (Score:5, Informative)
It means that both Gunkerty Jeb and Timothy didn't read TFA and are both fucking stupid.
Summary: libraries allow you to selectively ignore part or all of the certificate chain verification, including OpenSSL, which is exactly what your fucking browser asks you to do when you visit a site with a self-signed or expired cert. TFA argues that this is the wrong behavior. TFA also doesn't understand that sometimes you don't care that much about MITM, just that the traffic is encrypted to make the current session opaque.
TFA also doesn't understand what the layers of security are around Amazon's EC2 toolkit, either.
Re:Proprietary software contains vulnerabilities (Score:2, Informative)
Shocking indeed. It's pretty much this story but without the Android reference
http://yro.slashdot.org/story/12/10/20/0545252/poor-ssl-implementations-leave-many-android-apps-vulnerable [slashdot.org]
Who'd have thought that poorly coded code is poorly coded?
Re:Death knell? Really? (Score:5, Informative)
It means that this "post" is really clickbait. And now we know why no one RTFA.
Re:Death knell? Really? (Score:5, Informative)
Yes, it is and it's bs that libcurl got caught in the middle. By default libcurl is secure.
Re:Man in the middle? (Score:5, Informative)
There's not really any such thing as a "legit" certificate; you're referring to a signed one. This does nothing to protect against a man-in-the-middle attack. What it does do is establish a chain of trust linking your certificate back to an authority. If that authority is trusted then your cert can be too (to the extent you trust the authority). If, and that's a big if, we trust that _all_ trusted authorities will thoroughly vet the certificates they sign then we can _trust_ that a MITM attack cannot occur, but realistically "legit" certificates do nothing more than that. If, say, the US DoD (once/often? a trusted authority) decides to MITM you, they can just sign a cert and MITM you.
The only way to actually prevent MITM is to exchange the certificate (or some verification mechanism like a hash) in some sort of trusted manner (e.g. distributing it's hash with a client app).
Re:Death knell? Really? (Score:2, Informative)
Your parent stated it badly. It's not that you aren't worried about Monkey in the Middle. It's that you aren't worried about third party identity verification to avoid MITM. If you self-sign your own certificate, then you know that it's valid. You aren't relying on a third party signer (e.g. VeriSign) to validate it. You are validating it.
The thing is that for this to work, you need to verify the certificate. If you don't verify the certificate, then you can end up with MITM attacks. There is a mechanism to automatically verify the certificate with a third party signer. If you bypass that mechanism, you are responsible for doing the necessary verification. Turning off that verification in libcurl is a bad idea--it allows *everyone* to bypass verification. It should only be used for testing. Turning off that verification on a per site basis in Firefox is dangerous but manageable.
The correct way to do this with libcurl is to manually add that particular certificate to the approved certificates list. That marks that you verified the certificate without opening additional certificates. It's possible that there should be additional tools to make this process easier in both Firefox and libcurl. That would encourage people to do the right thing rather than the expedient thing.