SSL encryption technology needs to be redesigned from the ground up
Sep. 27, 2011
With the simple decrypting of a protected PayPal browser cookie at a security conference on September 23, it became official-- the internet's foundation of trust has suffered another serious fracture that will require the attention of the industry's best minds if SSL technology is to be trusted at all.
Within just a few hours of the demonstration by internet security researchers Juliano Rizzo and Thai Duong, Google researcher Adam Langley signaled his growing acceptance that SSL (secure sockets layer), the decade-old cryptographic standard that protects web sites and eCommerce sites using the https prefix, was susceptible to an attack that previously was considered impractical.
The result: by tampering with with an encryption algorithm's CBC (cipher block chaining) mode, hackers could easily and secretly decrypt portions of the encrypted traffic, representing a serious security breach to a technology that up until today was believed to be secure by everybody in the internet community.
“The CBC attacks were believed to be largely theoretical but, as Duong and Rizzo have pointed out Friday, that's no longer the case,” Langley wrote.
He went on say that, as previously reported, developers of Google's Chrome browser are currently experimenting with a work-around but are not yet sure if it will create incompatibilities with various websites that are still using SSL.
He added that Google's SSL technology is highly resistant to the attack because it favors the RC4 cipher, which doesn't use CBC, therefore it's more secure. But up to which point still isn't certain at this time.
Yesterday, both Microsoft and Mozilla acknowledged that their software were also affected. An advisory issued by Microsoft recommends that websites follow Google's lead to favor the RC4 cipher while Redmond's engineers develop a Windows update to patch the underlying weakness.
For its part, Mozilla made public a three-month old discussion of the underlying security vulnerability and the best way to repair it without breaking a huge numbers of websites that have been running for so many years.
And Duong and Rizzo's exploit isn't the easiest to pull off either. Attackers must already control the network used by the intended victim, and they can only recover secret information that's transmitted repeatedly and in a predictable location of the encrypted data stream.
Then they must also have a means to subvert a safety mechanism built into the internet known as the SOP (same-origin policy), which dictates that a data set by one domain name can't be read or modified by a different IP address.
To get around the SOP, the security researchers used a specific Java applet, but they said there are other methods for achieving the same purpose.
But as Duong and Rizzo demonstrated Friday, those constraints weren't enough to stop them from revealing the plain text of a supposedly SSL-protected browser cookie transmitted with each request that a logged-in PayPal user makes on the payments website.
Using what is presumed to be a broadband connection somewhere in Mountain View, California, Duong was able to recover the authentication in about two minutes, giving him everything he needed to gain unauthorized access to someone else's account.
Moxie Marlinspike, a security researcher who has repeatedly made some holes in the SSL protocol and its transport-layer security successor, put it this way: “As it stands now, given the number of difficult conditions necessary for deploying such an attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.”
BEAST, short for Browser Exploit Against SSL/TLS, isn't the only reason to question the adequacy of the SSL cryptographic system the entire internet uses to prevent eavesdroppers from accessing your private accounts. And remember that a patch introduced by OpenSSL in 2002 to fix this very vulnerability was turned off because it introduced incompatibilities in software from Microsoft, further complicating matters even more.
SSL encryption may have dodged a bullet for now, but as the recent DigiNotar debacle demonstrated, the system itself isn't immune to real-world attacks that have very real consequences for those who depend on it. As we always do, we will keep you posted on this and on other news that affect the security of the internet.
In other internet security news
The University of Sydney in Australia and technical publisher Elsevier said earlier this morning that they are holding their first official competitive hackathon for security students and professional software developers.
The Sydney Hackathon allows teams of up to five, a twenty-four hour time frame to develop an application to improve content delivery for scientific, technical and medical publisher Elsevier, publisher of The Lancet and SciVerse Science Direct.
"The hackathon is designed to encourage students and internet security professionals to build creative and innovative software applications for science, using data from open application program interfaces," said SUITS (Sydney Uni IT Society) president James Alexander.
The inaugural Sydney Hackathon is being held this weekend, and will offer cash prizes of up to $1500 AU to the winning team. What's more, competitors can even retain the official ownership of any intellectual property developed during the event.
Entrants have from 2.00 PM Saturday to develop an application of any kind as long as it's from Elsevier’s SciVerse and ScienceDirect platforms, which include over 10 million scientific publications from 2600 journals.
Application developers and security software designers, students from any University in Australia or full time programmers are invited to enter the hackathon.
In other internet security news
Over the past weekend, Oracle broke away from tradition with the publication of an unscheduled security patch. The security update addresses a DDoS (distributed denial of service) vulnerability in its Apache web server software.
This represents only the fifth time that Oracle has published a security update outside its quarterly patch schedule it began at the start of 2005.
The security patch provides an updated Apache web server and a new http daemon to Oracle's Fusion Middleware and Application Server products.
The former product includes Apache httpd 2.2. The latter includes Apache httpd 2.0.
The new security vulnerability is cataloged as CVE-2011-3192 and it creates a method to trick web clients into requesting multiple parts of the same file at the same time, causing systems to get hopelessly tied up in a loop and crash altogether.
The Apache Foundation addressed the same underlying byte-range flaw first with an 2.2.20 update at the end of August. Last week, it ironed out a few glitches in this bug fix with a further update, 2.2.21.
At this time, it isn't exactly clear which code base Oracle has used, although giving testing schedules and the like, the earlier patch seems more likely.
Whatever code base used, the database giant is emphatic that system admins need to apply the patch sooner rather than later.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible," it said in its advisory.
In other internet security news
According to internet security researchers in Romania, Android malware threats could increase by a factor of 60 by March 2012. It the threats happen, this could see the number of Android mobile malware samples increasing from 200 now to about 12,000 in six months from now. Many examples of Android malware involve the insertion of malicious code into legitimate apps before they are uploaded to third-party Android marketplaces.
During a demonstration on Sep. 13, BitDefender security researchers demonstrated that it was possible to easily perform such a task with just ten lines of base script code. In most cases, users can avoid becoming victims by reviewing the permissions that an item of software requests before agreeing to install an app.
For example, there is no legitimate reason why a so-called 'torch app' would need the ability to send SMS messages. "The trouble with permissions is that it ultimately falls down to user selection, discretion and interpretation," said Viorel Canja, head of anti-malware and anti-spam labs at BitDefender.
"It's a repeat of the same old issue over and over we've had on the desktop for so many years," added Canja.
"If Google locks down its applications, it risks losing developer interest, something that happened to Symbian before it. Android is not yet the new Windows for malware but it is going that way at the moment," he added. "So Google is a bit stuck between a rock and a hard place right now, but it will soon snap out of it" he said.
BitDefender is developing a mobile security application for Android. The product, currently in beta, includes remote wipe and a filter designed to allow users to easily review application permissions as well as malware detection features.
Under current plans, the software would be released free of charge to mobile uesrs but neither this or the release date for the software are confirmed. The application has been designed to minimise battery impact.
Source: Juliano Rizzo and Thai Duong.
You can link to the Internet Security web site as much as you like.