Hackers break SSL encryption used by millions of sites

tlu · Sep 20, 2011

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Sounds really horrible. Details will be available by the end of the week.

lotuseclat79 · Sep 20, 2011

Researchers to detail hole in Web encryption.

-- Tom

elapsed · Sep 20, 2011

IE (along with Opera) has supported TLS 1.1 and 1.2 for a LONG time. But there must be good reasoning we haven't moved on? 1.1 was in 2006 and 1.2 in 2008, are we going to see a mass exodus of 1.0 to 1.2 now? Despite whatever reason that prevented it going mainstream in the first place?

Hungry Man · Sep 20, 2011

I was just coming to post about this.

@Funky, all modern browsers support them. It's a matter of the website supporting them. Plenty of websites don't even support https at all, they just don't bother to update because users don't care.

EDIT: Chrome may not support TLS 1.1 and above. Checking...

Escalader · Sep 20, 2011

Hi:

In my IE9 it shows

1.0
1.1
1.2

Only 1.0 was ticked!

What "should" I do tick them all, untick them all , tick only 1.2?

This stuff is NOT my area of knowlege so I make no appology for the stupidy of the question!

Hungry Man · Sep 20, 2011

Tick them all. Unticking 1.0 would just disable it entirely if the site only supports 1.0.

1.0 is better than nothing.

elapsed · Sep 20, 2011

There's a reason they are unticked, I don't think they work/properly when all enabled.

@Hungry

Incorrect, Chrome and Firefox are 2 I know do not support them, possibly even Safari. Currently IE and Opera are the 2 that do.

Hungry Man · Sep 20, 2011

Yep, found bug reports for both indicating that.

elapsed · Sep 20, 2011

More info as to why TLS 1.1 and TLS 1.2 are disabled by default in IE:

Some adventurous Internet Explorer users have found that if they enable these new protocols, some secure sites will fail to load
Click to expand...

http://blogs.msdn.com/b/ieinternals...https-servers-impair-tls-1.1-and-tls-1.2.aspx

From my perspective it looks completely safe for the average Wilders member to enable TLS 1.1 and 1.2 in IE. However if you try to access an https website and it doesn't work, you know why. I don't recommend turning this on for standard users (non-Wilders readers).

I'll enable them and see how it turns out.

EDIT: It seems all the secure website I browse, including my bank and PayPal, load fine. Please note, that doesn't mean those servers support TLS 1.1 or 1.2, it's possible NONE of them support it. But the important thing is, they all load.

Hungry Man · Sep 20, 2011

Can't you check? I know witih Chrome you just click the lock and it says if it's running on TLS x

Escalader · Sep 20, 2011

I've ticked them all will report later.

Okay, the https bank site works with TLSx where x=1.0,1.1,1.2

elapsed · Sep 20, 2011

Hungry Man said:

Can't you check? I know witih Chrome you just click the lock and it says if it's running on TLS x
Click to expand...

I'd have no idea how to do that in IE, if it's even possible. Maybe someone else knows. Seems a bit redundant in Chrome considering it only supports the 1.0, heh, so I can't use Chrome as a tool to check what versions a server supports.

elapsed · Sep 20, 2011

I searched around and found this website for testing SSL security on servers:
https://www.ssllabs.com/ssldb/index.html

Testing on wilderssecurity.com shows it only supports 1.0, and doesn't support 1.1 or 1.2

Going to go through some sites and test them, seems like a very useful tool.

edit: None of the important sites I browse support it (Bank, PayPal), which goes to show, unfortunately, there's not much left that we can do about it. After enabling 1.1 and 1.2 it's simply out of our hands.

CloneRanger · Sep 20, 2011

Bugzilla@Mozilla – Bug 480514 Implement support for TLS 1.2 (RFC 5246)

theosophe74 2011-09-20 04:55:47 PDT

In a matter of days, the ability to decrypt TLS 1.0 traffic will be publicly demonstrated using JavaScript code that can get the job done in around 10 minutes. TLS 1.2 is not subject to this exploit. IE 8 / 9 on Windows 7 supports TLS 1.2. Opera 10 supports TLS 1.2. Is it the recommendation of Mozilla, then, in the interest of security, to use an alternate browser like the above until the newest gaping TLS security hole can be addressed? Of course, the server with which you're communicating needs to support TLS 1.2 as well. And Chrome is equally vulnerable as it also uses NSS.
Click to expand...

stodgycat 2011-09-20 06:43:57 PDT

Once the TLS 1.0 decryption expolit is demonstrated the severity of this bug should be increased from "enhancement" to "normal" or even "major". The confidentiality of https sessions is a major function of the browser.
Click to expand...

https://bugzilla.mozilla.org/show_bug.cgi?id=480514
Click to expand...

New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies

https://threatpost.com/en_us/blogs/...del-ssl-allows-theft-encrypted-cookies-091611
Click to expand...

*

@ elapsed

Thanks for the https://www.ssllabs.com/ssldb/index.html link

HTTPS hotmail got 88 https://www.ssllabs.com/ssldb/analyze.html?d=https://login.live.com/login.srf? Other ordinary sites got 97/98 ?

Oops

But hey, it's not our bank etc is it

vasa1 · Sep 20, 2011

Hungry Man said:

...

EDIT: Chrome may not support TLS 1.1 and above. Checking...
Click to expand...

Looks like it.

This is what my Chrome 14 stable has:

vasa1 · Sep 20, 2011

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it's a legitimate threat.”
Click to expand...

From the Register link

So how is the javascript slipped in?

Searching_ _ _ · Sep 20, 2011

SSLScan is a free command line tool that scans a HTTPS service to enumerate what protocols (supports SSLv2, SSLv3 and TLS1) and what ciphers the HTTPS service supports. It runs both on Linux and Windows OS (OSX not tested) and is released under a open source license.

Code:

[user@test]$ ./SSLScan --no-failed mail.google.com
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.9.0-win
             http://www.titania.co.uk
 Copyright 2010 Ian Ventura-Whiting / Michael Boman
    Compiled against OpenSSL 0.9.8n 24 Mar 2010

Testing SSL server mail.google.com on port 443

  Supported Server Cipher(s):
    accepted  SSLv3  256 bits  AES256-SHA
    accepted  SSLv3  128 bits  AES128-SHA
    accepted  SSLv3  168 bits  DES-CBC3-SHA
    accepted  SSLv3  128 bits  RC4-SHA
    accepted  SSLv3  128 bits  RC4-MD5
    accepted  TLSv1  256 bits  AES256-SHA
    accepted  TLSv1  128 bits  AES128-SHA
    accepted  TLSv1  168 bits  DES-CBC3-SHA
    accepted  TLSv1  128 bits  RC4-SHA
    accepted  TLSv1  128 bits  RC4-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  RC4-SHA
    TLSv1  128 bits  RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    Not valid before: Dec 18 00:00:00 2009 GMT
    Not valid after: Dec 18 23:59:59 2011 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:d9:27:c8:11:f2:7b:e4:45:c9:46:b6:63:75:83:
          b1:77:7e:17:41:89:80:38:f1:45:27:a0:3c:d9:e8:
          a8:00:4b:d9:07:d0:ba:de:ed:f4:2c:a6:ac:dc:27:
          13:ec:0c:c1:a6:99:17:42:e6:8d:27:d2:81:14:b0:
          4b:82:fa:b2:c5:d0:bb:20:59:62:28:a3:96:b5:61:
          f6:76:c1:6d:46:d2:fd:ba:c6:0f:3d:d1:c9:77:9a:
          58:33:f6:06:76:32:ad:51:5f:29:5f:6e:f8:12:8b:
          ad:e6:c5:08:39:b3:43:43:a9:5b:91:1d:d7:e3:cf:
          51:df:75:59:8e:8d:80:ab:53
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE      X509v3 CRL Distribution Points: 
        URI:http://crl.thawte.com/ThawteSGCCA.crl
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto      Authority Information Access: 
        OCSP - URI:http://ocsp.thawte.com
        CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
  Verify Certificate:
    unable to get local issuer certificate


Renegotiation requests supported

Click to expand...

Testing for SSL/TLS - OWASP.org

vasa1 · Sep 20, 2011

elapsed said:

I searched around and found this website for testing SSL security on servers:
https://www.ssllabs.com/ssldb/index.html
...
Click to expand...

One https site had this comment when I fed it into the link above:
This server is vulnerable to MITM attacks because it supports renegotiation (more info here).

elapsed · Sep 20, 2011

vasa1 said:

One https site had this comment when I fed it into the link above:
This server is vulnerable to MITM attacks because it supports renegotiation (more info here).
Click to expand...

No idea what that means, seen it on a few sites, I don't think it ACTUALLY allows MITM.

CloneRanger said:

Thanks for the https://www.ssllabs.com/ssldb/index.html link

HTTPS hotmail got 88 https://www.ssllabs.com/ssldb/analyze.html?d=https://login.live.com/login.srf? Other ordinary sites got 97/98 ?

Oops
Click to expand...

Ignore the scores, for example wilders scores 0 for self-signing. Just concentrate on what the servers support.

Hungry Man · Sep 20, 2011

Yep, I get a warning every time I visit wilders because of that.

Searching_ _ _ · Sep 20, 2011

vasa1 said:

From the Register link

So how is the javascript slipped in?
Click to expand...

+1
Wouldn't that be like an evil extension, modified profile, activeX or would it be code on a web page?

elapsed · Sep 20, 2011

So maybe one of the Wilders admins can explain to us why Wilders doesn't support 1.1/1.2 and the complications/difficulties/reasoning behind doing so.

Searching_ _ _ · Sep 20, 2011

Here is a description of the attack and how it works:

The attack works in such way:

1. A user opens any HTTP website like http://google.com/ in Iran (for example)

2. Government-controlled Iranian ISP intercepts HTTP traffic and injects some rogue JS code.

3. Rogue JS code opens https-AJAX-connection to https://gmail.com/ and transmits some constant nonsense there (chosen plaintext attack).

4. The key point of TLS 0.x-1.0 vulnerability is deterministic calculation of IV in all sessions except first one. Initialization vector (IV) is computed using (pseudo)random numbers for the first session, and subsequent connections to the same website use new IVs computed with deterministic algorithm from previous IVs, without using random numbers.

http://eprint.iacr.org/2006/136

It's a specific form of key integrity probably intended to counteract partial MitM. Or at least that way it was thought in 1994 by Netscape.

5. Rogue Iranian ISP intercepts resulting https traffic for https://gmail.com/ and by comparing known (chosen) plaintext versus ciphertext, computes initial IV. Here is where the novelty of the research is: popular belief in 2006 was this computation requires 2^1000 operations, in 2011 it turns out that could be handled in 10 minutes [see my remark below].

6. User navigates to https://gmail.com/ to read email. Browser chooses new IV different from old one, but Iranian ISP can compute it independently because algorithm is deterministic and previous IV is known to them.

7. By knowing second IV, Iranian ISP is able to decrypt all https traffic of the second session and extract user cookies from it. (Not necessarily in real time.)

8. Now Iranian government is able to read user's email by substituting his cookies on any computer and navigating to https://gmail.com/.

You may replace Iranian govt in this story with your neighbour in public WiFi, equipped with enhanced version of FireSheep.

---

My remark: I think this is fixable on the client side and somehow related to low-entropy PRNG used to generate IV for the first TLS session.
Click to expand...

http://news.ycombinator.com/item?id=3015498

Hungry Man · Sep 20, 2011

Government-controlled Iranian ISP
Click to expand...

Looks like I'm safe.

elapsed · Sep 20, 2011

Hungry Man said:

Looks like I'm safe.
Click to expand...

LOL!!

Log in or Sign up

Hackers break SSL encryption used by millions of sites

tlu Guest

lotuseclat79 Registered Member

elapsed Registered Member

Hungry Man Registered Member

Escalader Registered Member

Hungry Man Registered Member

elapsed Registered Member

Hungry Man Registered Member

elapsed Registered Member

Hungry Man Registered Member

Escalader Registered Member

elapsed Registered Member

elapsed Registered Member

CloneRanger Registered Member

vasa1 Registered Member

vasa1 Registered Member

Searching_ _ _ Registered Member

vasa1 Registered Member

elapsed Registered Member

Hungry Man Registered Member

Searching_ _ _ Registered Member

elapsed Registered Member

Searching_ _ _ Registered Member

Hungry Man Registered Member

elapsed Registered Member

Log in or Sign up

Hackers break SSL encryption used by millions of sites

tlu Guest

lotuseclat79 Registered Member

elapsed Registered Member

Hungry Man Registered Member

Escalader Registered Member

Hungry Man Registered Member

elapsed Registered Member

Hungry Man Registered Member

elapsed Registered Member

Hungry Man Registered Member

Escalader Registered Member

elapsed Registered Member

elapsed Registered Member

CloneRanger Registered Member

vasa1 Registered Member

vasa1 Registered Member

Searching_ _ _ Registered Member

vasa1 Registered Member

elapsed Registered Member

Hungry Man Registered Member

Searching_ _ _ Registered Member

elapsed Registered Member

Searching_ _ _ Registered Member

Hungry Man Registered Member

elapsed Registered Member

Useful Searches