Sunday, 5 February 2012
Researchers find two dozen vulnerabilities in HTTPS and SSL protocols
Researchers find two dozen vulnerabilities in HTTPS and SSL protocols
By Michael S. Mimoso, Editorial Director, SearchSecurity | Aug 2, 2010
0 comments
Digg
PrintLAS VEGAS -- The HTTPS and SSL/TLS protocols are at the heart of Web security and trusted ecommerce, but today at the Black Hat Briefings Web application security experts Robert "RSnake" Hansen and Josh Sokol identified two dozen vulnerabilities of varying criticality in the fundamental architecture of Web browsers. These flaws essentially eliminate the protections that HTTPS and SSL are supposed to bring to the browsing experience.
HTTPS (HTTP over SSL or HTTP Secure) adds encryption to the HTTP protocol to protect user page requests as well as the pages that are returned by the Web server from eavesdropping. SSL and its successor, TLS, are the protocols that enable HTTPS via public key cryptography to authenticate clients and servers on the Web.
Hansen and Sokol explained that exploitation first requires a man-in-the-middle attack. Once sitting in the middle of a browser session, an attacker can then exploit most of these issues to redirect sessions to steal credentials or remotely force code execution.
The two researchers, however, did emphasize that these aren't "game-over" types of attacks.
"There are much easier attacks out there," Hansen said. "You still have to [execute a] man-in-the-middle and you have to be a very determined attacker...No, this is not the worst thing ever. But there are situations for ecommerce where this can be devastating."
Hansen, in fact, said that he suspects there could be hundreds of similar security issues with browser security and SSL/TLS still to be uncovered; he said that time constraints prior to preparation of their Black Hat talk prevented them from further research.
Man-in-the-middle attacks are nothing new. Attackers can manage to interject themselves at several junctures in a browser session for a variety of reasons. Some attackers have been able to forge or steal SSL certificates using a variety of methods, including MD5 collisions. Also, because SSL makes DNS and HTTP requests in plain text before a session reaches an encrypted portion of an authentication negotiation, attackers can exploit any of those stops to hijack a session. Attackers have also been successful using MitM attacks to strip out HTTPS links and redirecting users to a malicious HTTP site.
For any attacker, duplicating Hansen's and Sokol's work would require patience and resources. The duo explained two attacks of particularly high criticality that could occur on the heels of a man-in-the-middle attack.
This article originally appeared on SearchSecurity
Similar
knowledge_central_tab
Knowledge Central
When good backups go bad
Business transactions are faster and have a broader reach to more people in more countries than ever before. Businesses of all sizes can cast a global shadow by setting up a website and conducting business over the Internet. At the same time the volume of data is growing, so are the threats.
Does application security pay?
In the past, businesses confronted the threat of cyber attacks and data breaches primarily by building firewalls and other “perimeter defenses” around their networks, but the threat has continued to evolve, and more criminals are hacking into applications that are running on a plethora of new devices and environments, including cloud, mobile, and social media. Which begets the question: Is it still worthwhile investing in application security?
Red Cross overhauls ID management
Red Cross named the first recipient of the CourionCare Program for Non-Profits with massive overhaul to security and identity management.
Red Cross overhauls ID management
That program helped the agency reduce the risk of security and compliance breaches by automatically eliminating system access when a user changed responsibilities or left the organization.
