Hackers break SSL encryption used by millions of sites

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Hackers break SSL encryption used by millions of sites

Re: Hackers break SSL encryption used by millions of sites

by Giorgio Maone » Tue Sep 27, 2011 7:34 pm

This is the bug I originally referred to. While the protocol itself was and is vulnerable, the specific websocket implementation in Firefox was found not to be exploitable.

Re: Hackers break SSL encryption used by millions of sites

by dhouwn » Tue Sep 27, 2011 7:12 pm

therube wrote:"We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so. ..."
Here is the bug for it: Bug 689661 - Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in same-origin-policy)

And here is the one filed for NSS (the library doing that certificate/encryption stuff in Firefox) concerning this attack: Bug 665814 - (CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 (facilitated by websockets -76)

Video: http://www.youtube.com/watch?v=BTqAIDVUvrU

Re: Hackers break SSL encryption used by millions of sites

by therube » Tue Sep 27, 2011 5:47 pm

"...

Status

Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser which Firefox does not allow.

The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution. We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so. ..."

http://blog.mozilla.com/security/2011/0 ... nications/

Re: Hackers break SSL encryption used by millions of sites

by dhouwn » Sat Sep 24, 2011 1:16 pm

Interesting read on this from a Chrome developer also partly explaining what is needed for exploiting this and possible workarounds on the TLS protocol level:
http://www.imperialviolet.org/2011/09/2 ... beast.html
(though I can't quite believe that stream ciphers like RC4 are that much better in this case)

Re: Hackers break SSL encryption used by millions of sites

by Giorgio Maone » Wed Sep 21, 2011 4:12 pm

dhouwn wrote:
When Mozilla opens the still embargoed security-sensitive bug report.
Am I right assuming that this might take a while should it be true that the security issue is in the protocol and not the implementation and that only switching to TLS 1.1 or newer would really fix it?
Actually a relatively easy work-around at the implementation level is possible, so I expect this to be fixed quite soon in the browser.
Unfortunately the worst problem is that even if the browser gets fixed, plugins still remain vulnerable and can be used to mount an attack even inside a "fixed" browser.

Re: Hackers break SSL encryption used by millions of sites

by dhouwn » Wed Sep 21, 2011 4:03 pm

When Mozilla opens the still embargoed security-sensitive bug report.
Am I right assuming that this might take a while should it be true that the security issue is in the protocol and not the implementation and that only switching to TLS 1.1 or newer would really fix it? (be it that being harsher on mixed-content won't cut it)
Giorgio Maone wrote:but in order to do that he must already control your DNS and/or your network (i.e. he's your internet provider or you're behind a hostile proxy).
I want to add: Controlling a network might be quite easy in some cases, just think of ARP poisoning, WEP, the security issues of GSM/3G…

Re: Hackers break SSL encryption used by millions of sites

by Giorgio Maone » Wed Sep 21, 2011 12:53 pm

kukla wrote:since almost any SSL site I might go to, such as banking or making a purchase, would require that JavaScript be enabled.
JavaScript and plugins need to be allowed on the site of the attacker for the attack to succeed.

Of course if the victim site uses a mixed SSL policy (i.e. it's NOT forced to HTTPS neither by HSTS, nor by NoScript's explicit HTTPS enforcement, something which shouldn't be condoned to any financial institution) the attacker might be able to inject its code directly inside the unencrypted victim pages, but in order to do that he must already control your DNS and/or your network (i.e. he's your internet provider or you're behind a hostile proxy).

In such extreme (and rather uncommon) situations you should raise your NoScript Option|Advanced|Forbid active web content unless it comes from a secure (HTTPS) connection setting to the appropriate level, even though this means browsing non-HTTPS website may become quite painful.

Re: Hackers break SSL encryption used by millions of sites

by kukla » Wed Sep 21, 2011 12:14 pm

Giorgio Maone wrote:I can confirm that having both JavaScript and plugins disabled effectively prevents this attack from succeed.
I'm very glad to have NoScript and the protection it usually affords, but to me, unfortunately, this doesn't give much comfort, since almost any SSL site I might go to, such as banking or making a purchase, would require that JavaScript be enabled.

Re: Hackers break SSL encryption used by millions of sites

by Giorgio Maone » Tue Sep 20, 2011 8:50 pm

al_9x wrote:
Giorgio Maone wrote:I know the details (which I cannot reveal yet)
When can you reveal them?
When Mozilla opens the still embargoed security-sensitive bug report.

Re: Hackers break SSL encryption used by millions of sites

by al_9x » Tue Sep 20, 2011 7:55 pm

Giorgio Maone wrote:I know the details (which I cannot reveal yet)
When can you reveal them?

Re: Hackers break SSL encryption used by millions of sites

by Giorgio Maone » Tue Sep 20, 2011 5:50 pm

I know the details (which I cannot reveal yet), and I can confirm that having both JavaScript and plugins disabled effectively prevents this attack from succeed.
For better protection on hostile networks, use NoScript Options|Embeddings|Apply these restrictions to whitelisted sites as well (AKA "FlashBlock mode").

Re: Hackers break SSL encryption used by millions of sites

by dhouwn » Tue Sep 20, 2011 3:17 pm

I don't get it. So JS is used to send particular data in a SSL session that can then help in decrypting other data in that same session? So it's some sort of chosen-plaintext attack?

Hackers break SSL encryption used by millions of sites

by tlu » Tue Sep 20, 2011 11:50 am

http://www.theregister.co.uk/2011/09/19 ... aypal_ssl/

This sounds really horrible.
BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection..
The details will be revealed later this week. Hopefully, Noscript can protect against this JS injection which is obviously necessary for this attack.

Top