Re: [TLS] TLS or HTTP issue?

To: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Subject: Re: [TLS] TLS or HTTP issue?
From: Peter Saint-Andre <stpeter at stpeter.im>
Date: Fri, 06 Nov 2009 09:59:11 -0700
Cc: Eric Rescorla <ekr at rtfm.com>, "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF33D07.7040100 at gnutls.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: url=http://www.saint-andre.com/me/stpeter.asc
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <4AF33D07.7040100 at gnutls.org>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/5/09 2:00 PM, Nikos Mavrogiannopoulos wrote:
> Eric Rescorla wrote:
>> TLS WG members will want to check out this announcement of a
>> new attack on the TLS renegotiation logic. See here:
>>
>> http://www.extendedsubset.com/
>>
>> The high-level summary is that the attacker negotiates TLS with the
>> server and then subsequently proxies the client's negotiation *over*
>> that channel. This allows the attacker to inject arbitrary content of
>> their choice in front of data sent from the TLS client to the TLS
>> server. This data will be treated by the server as if it came from the
>> client. Once the new handshake has finished, the attacker can't
>> do anything else useful.
> 
>  I'll become a bit pedantic and note here that this isn't really a TLS
> issue. We have an initial server-authenticated only session and some
> renegotiation of parameters over it to authenticate the client. However
> TLS doesn't guarantee[0] that if the renegotiation is successful
> authenticating the client, then the data from the initial session were
> also by the same authenticated client.
>  Think for example a session that it is anonymous (DH). Why one should
> assume that commands over the anonymous connection are to be trusted if
> a successful renegotiation follows?
> 
> So for me the issue is on HTTP's usage of the TLS protocol
> renegotiation. After a TLS renegotiation for authentication the previous
> command cache should have been cleared and reissued after negotiation.

I tend to agree. Some folks in the XMPP community have analyzed the use
of TLS in XMPP, and their preliminary conclusion is that XMPP is not
vulnerable to this attack because the client and server are required to
clear the security context and restart the XML stream after TLS
negotiation (or renegotiation). Those who did this analysis will publish
a brief report about their findings in the near future.

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr0Vd8ACgkQNL8k5A2w/vyeqQCgpzZakXwr62UdxAHdNyqwe4xe
WEUAoMPGdY94w+/+oAv9oYC0I9iu7hnI
=sjVM
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: [TLS] TLS or HTTP issue?
  - From: Chris Newman

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
  - From: Nikos Mavrogiannopoulos

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] TLS or HTTP issue?
Previous by thread: Re: [TLS] TLS or HTTP issue?
Next by thread: Re: [TLS] TLS or HTTP issue?
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.