Protecting against HTTPS "Forbidden Attack"?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Protecting against HTTPS "Forbidden Attack"?

Post by barbaz » Fri May 27, 2016 12:09 am

http://arstechnica.com/security/2016/05/faulty-https-settings-leave-dozens-of-visa-sites-vulnerable-to-forgery-attacks/
Is it possible for a client to protect ourselves against this type of MITM attack, and if so how? (Does NoScript help here?)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Protecting against HTTPS "Forbidden Attack"?

Post by Thrawn » Fri May 27, 2016 5:47 am

Catastrophic failure upon nonce reuse sounds like AES in Galois-Counter Mode. It's an effective and fast mode, but it absolutely must not reuse nonces. It's perfectly acceptable, even a good idea, for AES-GCM to use sequential nonces; but if implementors choose random nonces instead, then eventually you can expect a repeat. With the results described.

I'm not sure how much protection you'd get by disabling GCM ciphers.

NoScript won't do much, though. The attack scenario is someone wiretapping.

Update: Oops, didn't see the lower half of the article. Yep, it's AES-GCM using random nonces instead of sequential.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: Protecting against HTTPS "Forbidden Attack"?

Post by barbaz » Fri May 27, 2016 3:11 pm

The sort of counter-measure I was first thinking is something like, if the client notices nonce re-use, abort the connection and throw a warning, with options to connect despite insecurity or just get out. Sort of like how SeaMonkey currently handles insecure certificates.

How hard would it be to implement this? And given that NoScript is part of Tor Browser, where this stuff REALLY matters, is it something NoScript should implement?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Protecting against HTTPS "Forbidden Attack"?

Post by Thrawn » Wed Jun 01, 2016 4:59 am

Is it possible for a client to this? Yes. How hard? Um...I don't know, but it sounds like it would come dangerously close to crypto-related code. Which, given a choice, I wouldn't want to touch with a 10-foot pole.

There shouldn't be any option to override, though. Nonce reuse in AES-GCM = failure.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0

barbaz
Senior Member
Posts: 9147
Joined: Sat Aug 03, 2013 5:45 pm

Re: Protecting against HTTPS "Forbidden Attack"?

Post by barbaz » Wed Jun 01, 2016 3:15 pm

Thrawn wrote: it sounds like it would come dangerously close to crypto-related code. Which, given a choice, I wouldn't want to touch with a 10-foot pole.

Yeah, me neither.

Thrawn wrote:There shouldn't be any option to override, though. Nonce reuse in AES-GCM = failure.

So it's worse than plain HTTP in terms of security?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Protecting against HTTPS "Forbidden Attack"?

Post by Thrawn » Thu Jun 02, 2016 3:24 am

barbaz wrote:So it's worse than plain HTTP in terms of security?

If you're concerned about having a false sense of security - certainly.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0

Post Reply