SSL security flaw discovered

[tanstaafl]

New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies (ThreatPost) and Hackers break SSL encryption used by millions of sites (the Register) talk about a new vulnerability in SSL 3 and TLS 1 that allows attackers to silently decrypt data that's passing between a webserver and an end-user's browser.

"the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it's available."

Supposedly versions 1.1 and 1.2 of TLS aren't susceptible. However, the NSS libraries used by Mozilla applications only support TLS version 1 (and SSL 2.0 and 3.0).

Implement support for TLS 1.2 (RFC 5246) bug report
Implement TLS 1.2 mechanisms in softoken bug report
(RFC4346) Implement TLS 1.1 (RFC 4346) bug report

Please do not comment in above Bug reports as they are not discussion forums and already has enough bugspam which can impact on being fixed.
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

http://news.ycombinator.com/item?id=3015498 talks about "You don't need to inject code, you need to inject traffic. Injecting code into client is only one way to do that. For example in many VPN deployments you can inject traffic into secure channel directly." By code they mean malicious javascript code.

Supposedly Opera supports and use TLS 1.2 by default, Windows 7 with IE8 supports TLS 1.0, 1.1 and 1.2 while defaulting to 1.0, while XP with IE8 supports TLS 1. If I understand http://code.google.com/p/chromium/issue ... l?id=90392 correctly Chrome uses NSS.

Can somebody more knowledgeable comment? My impression is that its not something that impacts users yet, its basically a wake up call that TLS 1.2 support can't be delayed much more.

[Astrophizz]

Opera supports TLS 1.2 but I don't believe it has it (or TLS 1.1) on by default. At least in my installs it isn't on by default.

[Elbart]

Doesn't matter what the browser support as long as the servers are using 1.0.

[Astrophizz]

True, I was just clarifying something that had been misstated (originally) in The Register. Some people are arguing that this isn't a big deal but if it is I'd expect Firefox and Chrome to prioritize it for the next release or as an emergency release.

[Omega X]

Fx7 releases in a week. I doubt that they will hold it back. However, I can see this become a priority for a point release or Fx8.

[Astrophizz]

Yeah I meant prioritize for the next release within reason.

[patrickjdempsey]

So this attack first requires a MITM attack and then some browser code injection? Pretty sophisticated stuff... and it also sounds like there's not much that can be done about it without requiring that all servers update to a more modern version of TLS.

[Scarlettrunner20]

The real problem here is the standoff between browser makers and websites. Security experts have been warning for several years now that the move the TLS 1.2 needs to be made before something like this BEAST tool gets into the wild. But the browsers and websites have been pointing fingers at each other saying in essence "you go first" and that has resulted in nothing much happening. So, the fact that Opera is ready (so is Safari) doesn't help if the website servers are still using only TLS 1.0.

From reading the second bug that tanstaafl listed, a lot of it was over my head, but I could see nonetheless that this not something that is easy and quick for developers to add to Fx and SeaMonkey. The first bug listed (which is very readable as far as understanding) shows adding TLS 1.2 to be an "enhancement" so not a high priority at all. I suspect that will change as soon as this demonstration is finished.

Try this if you have Opera:

go to "boh.com" (This is Bank of Hawaii ...Forbes choice for three years now as best bank in the USA. They were pioneers of online banking many years ago).

The entire site is secure. You should see the Equifax cert (if you click on the lock) and it will say TLS 1.0.

Next, open Opera Preferences, Advanced tab, Security Protocols, and then uncheck use TLS 1.0. On the popup where you have unchecked use TLS 1.0 click on Details button. Uncheck EVERYTHING.

Now again go to boh.com. You will get a blank page and no lock but if you click on the icon on the left of the address, it will say "unencrypted connection". Click on Details and then on the Security tab on the popup window. It will inform you that the connection is insecure and in PLAIN TEXT.

This little demo shows that it doesn't matter that Opera has TLS 1.2 supported because ONLY TLS 1.0 is used. This fact is obvious also from the Security Protocols tab where the list of ciphers that can be enabled is seen. ALL ciphers listed are for TLS 1.0 ONLY. Currently, ONLY TLS 1.0 can be used no matter how ready or unready a browser is for TLS 1.2. This means if a tool like BEAST gets into the wild anytime soon we are going to have a major mess.

Edit: Playing with the list of ciphers in Opera is quite interesting. A few that are checked by default have low security. In the past, I experimented and unchecked a few of them thus forcing the webservers to use higher encryption. Doing this caused errors with some sites and I was able to learn what sites that I go to regularly (like banking sites that use SSL) only use lower, less secure ciphers. It opened my eyes to how dependent we are on what the site's server is set up to use and that, in many cases even of banks sites, is weak ciphers. I wish Fx had the ability for the user to set which ciphers are used as websites are not likely to improve which ciphers their servers use unless users ask them to do so and that takes knowledge of which ciphers they are currently using and you can get this information in Opera but not Fx.

[Astrophizz]

Next, open Opera Preferences, Advanced tab, Security Protocols, and then uncheck use TLS 1.0. On the popup where you have unchecked use TLS 1.0 click on Details button. Uncheck EVERYTHING.

Now again go to boh.com. You will get a blank page and no lock but if you click on the icon on the left of the address, it will say "unencrypted connection". Click on Details and then on the Security tab on the popup window. It will inform you that the connection is insecure and in PLAIN TEXT.

Do you mean uncheck everything BUT TLS 1.2? If you uncheck everything of course the connection will be insecure. If you only have TLS 1.2 checked and the site doesn't support TLS 1.2 then it will make an insecure connection instead.

[Scarlettrunner20]

Do you mean uncheck everything BUT TLS 1.2? If you uncheck everything of course the connection will be insecure. If you only have TLS 1.2 checked and the site doesn't support TLS 1.2 then it will make an insecure connection instead.

Yes, keep TLS1.2 checked. Then click on the "Details"button and uncheck all boxes next to the listed ciphers.

It is just a demo or example of what happens if you try to force your browser to use ONLY TLS1.2.

[Handle With Care]

Seems to me, if Chrome can do it so easily http://www.theregister.co.uk/2011/09/21 ... for_beast/ why can't Firefox?

As for enabling TLS 1.2, I seem to remember having seen that selection once upon a time, but damned if I can find it now. All I see now is Use SSL 3.0 and Use TLS 1.0. Any help?

[Omega X]

Seems to me, if Chrome can do it so easily http://www.theregister.co.uk/2011/09/21 ... for_beast/ why can't Firefox?

That's a stop gap solution to defeat the BEAST. Hopefully it will buy a few more months before the hackers get around it.

As for enabling TLS 1.2, I seem to remember having seen that selection once upon a time, but damned if I can find it now. All I see now is Use SSL 3.0 and Use TLS 1.0. Any help?

NSS doesn't have TLS 1.2 yet. Which means Firefox won't have it either. Its also the reason why Google came up with the "fragment" solution. Since both Google and Mozilla uses NSS, they both will probably have to collaborate to get TLS1.2 integrated quickly.

A quick review of Mozilla's developer website showed no signs that a similar fix is being planned for the Firefox browser.

I hope that they didn't check MDN expecting something special. Its probably locked behind a closed bug in bugzilla.

[Scarlettrunner20]

Is the Chrome fix the same fix Giorgio Maone says is easy to do and will be implemented very soon for Mozilla browsers?

Maone says he can't reveal more because Mozilla has the bug embargoed as security sensitive so he can't speak freely until Mozilla lifts the embargo.

He also says that even with the easy fix he expects that plugins will remain vulnerable and the attack will be able to succeed through them even in a "fixed" browser!

http://forums.informaction.com/viewtopic.php?f=7&t=7238

[tanstaafl]

Beast demonstrated last Friday
Security impact of the Rizzo/Duong CBC "BEAST" attack

https://bugzilla.mozilla.org/show_bug.cgi?id=665814 - (CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 (facilitated by websockets -76)

[Anonymosity]

So, the fact that Opera is ready (so is Safari) doesn't help if the website servers are still using only TLS 1.0.

How do you know that Safari has TLS 1.2? Where do you look to see that? I could not see anywhere in Safari's settings where it mentions anything about security protocols.