Re: [TLS] TLS or HTTP issue?

To: Peter Saint-Andre <stpeter at stpeter.im>, Nikos Mavrogiannopoulos <nmav at gnutls.org>
Subject: Re: [TLS] TLS or HTTP issue?
From: Chris Newman <Chris.Newman at Sun.COM>
Date: Wed, 11 Nov 2009 15:34:49 -0800
Cc: Eric Rescorla <ekr at rtfm.com>, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF455DF.5040106 at stpeter.im>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <4AF33D07.7040100 at gnutls.org> <4AF455DF.5040106 at stpeter.im>
Sender: Chris.Newman at Sun.COM

It is likely XMPP is vulnerable. IMAP and SMTP are vulnerable. The onlyapplication protocol I've studied that I believe resists the vulnerabilityis POP3+STLS (even pops may be vulnerable).

I know of two ways to leverage the TLS re-negotiation vulnerability toattack applications:

1. Authenticating an otherwise un-trusted directive using credentials froman authorized user. As far as I know this attack only applies to HTTP-likeprotocols (including IPP, SIP, HTTP, WebDAV, CalDAV, etc.) due to the poordesign of HTTP authentication, cookie and client certificate mechanisms.Application protocols like IMAP, POP, SMTP, XMPP, BEEP with cleanlyseparate not-authenticated and authenticated states are immune to thisattack.

2. Having one authorized and authenticated TLS session decrypt data from adifferent TLS session. This attack is most severe for SMTP+STARTTLS+BDAT(since SMTP relays typically treat all senders as authenticated as long asthe recipient is in the local domain), but impacts most applicationprotocols that have a command to "send", "post", "put", "set an attribute"or perform any write operation that can subsequently be read back. In thecase of IMAP, this can be used by one authorized IMAP user (someone with anaccount on the IMAP server) to potentially steal the login password ofanother IMAP user on the same server (with some IMAP client behaviorcaveats).


It is likely that XMPP is vulnerable to attack #2.

I would recommend anyone running an SMTP relay (port 25) to turn off boththe STARTTLS and SMTP AUTH features immediately until this is resolved. AnSMTP Submission server (port 587, RFC 4409, requires SMTP AUTH to submitmail) should keep STARTTLS enabled. Sites that have not made the splitbetween SMTP relay and SMTP submission should do so -- they have differentsecurity properties and this is yet another reason they should be differentservices (either on different ports or different IP addresses).


		- Chris

--On November 6, 2009 9:59:11 -0700 Peter Saint-Andre <stpeter at stpeter.im>wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/5/09 2:00 PM, Nikos Mavrogiannopoulos wrote:

Eric Rescorla wrote:

TLS WG members will want to check out this announcement of a
new attack on the TLS renegotiation logic. See here:

http://www.extendedsubset.com/

The high-level summary is that the attacker negotiates TLS with the
server and then subsequently proxies the client's negotiation *over*
that channel. This allows the attacker to inject arbitrary content of
their choice in front of data sent from the TLS client to the TLS
server. This data will be treated by the server as if it came from the
client. Once the new handshake has finished, the attacker can't
do anything else useful.


 I'll become a bit pedantic and note here that this isn't really a TLS
issue. We have an initial server-authenticated only session and some
renegotiation of parameters over it to authenticate the client. However
TLS doesn't guarantee[0] that if the renegotiation is successful
authenticating the client, then the data from the initial session were
also by the same authenticated client.
 Think for example a session that it is anonymous (DH). Why one should
assume that commands over the anonymous connection are to be trusted if
a successful renegotiation follows?

So for me the issue is on HTTP's usage of the TLS protocol
renegotiation. After a TLS renegotiation for authentication the previous
command cache should have been cleared and reissued after negotiation.


I tend to agree. Some folks in the XMPP community have analyzed the use
of TLS in XMPP, and their preliminary conclusion is that XMPP is not
vulnerable to this attack because the client and server are required to
clear the security context and restart the XML stream after TLS
negotiation (or renegotiation). Those who did this analysis will publish
a brief report about their findings in the near future.

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr0Vd8ACgkQNL8k5A2w/vyeqQCgpzZakXwr62UdxAHdNyqwe4xe
WEUAoMPGdY94w+/+oAv9oYC0I9iu7hnI
=sjVM
-----END PGP SIGNATURE-----
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] TLS or HTTP issue?
  - From: Nikos Mavrogiannopoulos

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
  - From: Nikos Mavrogiannopoulos
- Re: [TLS] TLS or HTTP issue?
  - From: Peter Saint-Andre

Prev by Date: [TLS] FW: Attendee Invitation for tls WebEX on Thursday -- forward to attendees!
Next by Date: Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
Previous by thread: Re: [TLS] TLS or HTTP issue?
Next by thread: Re: [TLS] TLS or HTTP issue?
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.