Indiscreet tweet trips awareness of Web SSL vulnerability
Internet security engineers who had been meeting secretly to discuss a possible extension to Transport Layer Security (TLS) to thwart a possible low-level exploit, were compelled yesterday to reveal the existence of their meetings after another security engineer unconnected to their project went public with a conceptual framework of the very type of exploit they were working to pre-emptively patch.
The problem is essentially a repeat of what developers of TLS and its parent protocol, Secure Sockets Layer (SSL), have dealt with a handful of times in the past: the potential of man-in-the-middle attacks by malicious servers that can pass themselves off as security authenticators. As the team from wireless security service provider PhoneFactor discovered last August, it was possible using both Microsoft IIS 7.0 and Apache httpd Web servers to demonstrate a situation where a false TLS server authenticates itself to a genuine Web client, then authenticates itself to a genuine TLS server, effectively setting itself up as a go-between that's privy to the complete contents of what appears to the innocent client to be a fully encrypted SSL session.
With online bank transactions worldwide currently covered just with SSL, the potential for global exploit now that the technique behind the attack is widely known, has just become enormous.
As PhoneFactor engineer Marsh Ray blogged this morning, he first suspected the possibility of a vulnerability while doing code testing of a product that a PhoneFactor partner was developing to support its software. "We realized this situation needed to be handled with a good measure of care," Ray wrote. "Over the first part of September 2009, we began disclosing the initial group of independent security consultants for independent verification and advice on how to proceed."
With the cooperation of groups such as the Internet Engineering Task Force, a working group was formed with the objective of developing an extension to TLS. Security vendors with representatives to the IETF, Ray implied, are aware of his and supervisor Steve Dispensa's work, so it's likely that remedial code for the problem has already been developed, and is being tested now.
Without divulging the technical details, here is the basic theory of Ray's and Dispensa's discovery: During a typical TLS (SSL) session, a handshaking process initiated by a client results in the legitimate server validating the client's certificate, and the client validating the one passed by the server. From there, an exchange takes place whose result is the production of an exclusive session key. Methods exist for one or the other party to request a change in the parameters of their transactions, perhaps to switch to a different, stronger cipher suite. However, because of the "post-only" nature of HTTP -- the transaction protocol around which the TLS session is based -- moving the session over to the stronger suite cannot mean suspending transactions in progress and picking them back up again later after the move. Instead, the old session is effectively ended and a new one begins.
At least, that's what's supposed to be enabled to happen, and there's where the trouble starts. The old session is ended, but in order to renegotiate the session, the client and server have to start all over again. In a situation similar to someone's e-mail application replying to your e-mail with a message whose subject line begins, RE:, the conversation between client and server over what to change to, contains a reference to the request for renegotiation -- the request that had, when sent earlier, been encrypted.
Now it's not, and that's the problem. The certificate chain that had been encrypted is now revealed in clear text; and it becomes possible for a malicious middleman to inject code into that chain. Ray was able to demonstrate the methods to security vendors, and that's where we'll stop before we get too detailed.
On a different IETF mailing list yesterday afternoon, a security researcher with SAP, who was running tests on Microsoft IIS, effectively discovered the same concept, and disclosed his discovery in a responsible manner as well. The problem: Someone reading that mailing list effectively broadcast the news "TLS is cracked," or something to that effect, to all his friends on Twitter.
Apparently last night -- maybe in the middle of the night -- is when Ray and Dispensa began getting phone calls from partners. The news was out, and now the need to keep "Project Mogul" secret had evaporated. Though a solution has already been in the works since at least early September, the race to secure the principal protocol governing the Web's monetary transactions has just kicked into overdrive.