Re: [TLS] TLS or HTTP issue?

To: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Subject: Re: [TLS] TLS or HTTP issue?
From: Florian Weimer <fweimer at bfk.de>
Date: Fri, 06 Nov 2009 09:26:07 +0000
Cc: Eric Rescorla <ekr at rtfm.com>, "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF33D07.7040100 at gnutls.org> (Nikos Mavrogiannopoulos's message of "Thu\, 05 Nov 2009 23\:00\:55 +0200")
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <4AF33D07.7040100 at gnutls.org>

* Nikos Mavrogiannopoulos:

> I'll become a bit pedantic and note here that this isn't really a TLS
> issue.

I'm not sure.  We've got a middleware which provides RPC services over
TLS with certificates on both ends, and it happens that we're
vulnerable as well[1], even though we require client certificates from
the start.  Suppose that there is an RPC which is some sort of store
operation, allowing reading back the stored data by the client.  The
attacker pre-loads half of such an RFC call, triggers renegotation,
and splices this connection to an unsuspecting client.  The client
will complete the RPC call, the server will save the call contents
(including metadata) as the payload of the store request that precedes
it, associated with the attacker's certificate (because it sticks to
the certificate it saw first).  The attacker can use the service to
read back the saved call contents, gaining access to data it would not
ordinarily have access to.

Theoretically, this attack can be detected by the server, but not
using the APIs that are currently deployed.  You are right that HTTP
is worse, but based on the attack sketched above, the basic issue also
affects other services.

[1] We've got other safeguards which prevent actual exploitation in
our case, but the theoretical vulnerability is still there.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Follow-Ups:
- Re: [TLS] TLS or HTTP issue?
  - From: Dean Anderson

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
  - From: Nikos Mavrogiannopoulos

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Previous by thread: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
Next by thread: Re: [TLS] TLS or HTTP issue?
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.