Page 1 of 1

Protecting against HTTPS "Forbidden Attack"?

Posted: Fri May 27, 2016 12:09 am
by barbaz
http://arstechnica.com/security/2016/05 ... y-attacks/
Is it possible for a client to protect ourselves against this type of MITM attack, and if so how? (Does NoScript help here?)

Re: Protecting against HTTPS "Forbidden Attack"?

Posted: Fri May 27, 2016 5:47 am
by Thrawn
Catastrophic failure upon nonce reuse sounds like AES in Galois-Counter Mode. It's an effective and fast mode, but it absolutely must not reuse nonces. It's perfectly acceptable, even a good idea, for AES-GCM to use sequential nonces; but if implementors choose random nonces instead, then eventually you can expect a repeat. With the results described.

I'm not sure how much protection you'd get by disabling GCM ciphers.

NoScript won't do much, though. The attack scenario is someone wiretapping.

Update: Oops, didn't see the lower half of the article. Yep, it's AES-GCM using random nonces instead of sequential.

Re: Protecting against HTTPS "Forbidden Attack"?

Posted: Fri May 27, 2016 3:11 pm
by barbaz
The sort of counter-measure I was first thinking is something like, if the client notices nonce re-use, abort the connection and throw a warning, with options to connect despite insecurity or just get out. Sort of like how SeaMonkey currently handles insecure certificates.

How hard would it be to implement this? And given that NoScript is part of Tor Browser, where this stuff REALLY matters, is it something NoScript should implement?

Re: Protecting against HTTPS "Forbidden Attack"?

Posted: Wed Jun 01, 2016 4:59 am
by Thrawn
Is it possible for a client to this? Yes. How hard? Um...I don't know, but it sounds like it would come dangerously close to crypto-related code. Which, given a choice, I wouldn't want to touch with a 10-foot pole.

There shouldn't be any option to override, though. Nonce reuse in AES-GCM = failure.

Re: Protecting against HTTPS "Forbidden Attack"?

Posted: Wed Jun 01, 2016 3:15 pm
by barbaz
Thrawn wrote: it sounds like it would come dangerously close to crypto-related code. Which, given a choice, I wouldn't want to touch with a 10-foot pole.
Yeah, me neither.
Thrawn wrote:There shouldn't be any option to override, though. Nonce reuse in AES-GCM = failure.
So it's worse than plain HTTP in terms of security?

Re: Protecting against HTTPS "Forbidden Attack"?

Posted: Thu Jun 02, 2016 3:24 am
by Thrawn
barbaz wrote: So it's worse than plain HTTP in terms of security?
If you're concerned about having a false sense of security - certainly.