Issue #5353 has been updated by Martin Bosslet.


Some first reactions:

http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

From what I understand this is really sweet, instead of trying to guess a
whole block at a time they play with block boundaries so that they effectively
only have to guess one byte at a time instead of let's say 16.

And it looks like turning off SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS really does
prevent this kind of attack, too. But then again, as nahi already hinted at,
mounting this kind of attack requires quite some sophistication, usually there
are often easier ways for an attacker.

An interesting approach that wouldn't break compatibility seems to be what
is currently investigated for Chrome:

http://codereview.chromium.org/7621002

Instead of sending a totally empty first record they send one with exactly one
byte to get the same effect of randomizing the IV.

Regards,
Martin

PS: I would be really grateful if somebody got their hands on the original paper
and could post a link here or send it to me! 
----------------------------------------
Bug #5353: TLS v1.0 and less - Attack on CBC mode
http://redmine.ruby-lang.org/issues/5353

Author: Martin Bosslet
Status: Open
Priority: High
Assignee: 
Category: ext
Target version: 1.9.x
ruby -v: trunk


A well-known vulnerability of TLS v1.0 and earlier has recently gained some attention:

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Although this has been known for a long time (http://www.openssl.org/~bodo/tls-cbc.txt),
and a fix for this has been provided, in reality most applications seem to be working with

SSL_OP_ALL

which is a flag that enables some bug workarounds that were considered harmless. 

We, too, use this in ossl_sslctx_s_alloc(VALUE klass) in ossl_ssl.c. Unfortunately, 
this flag also includes

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

which disables the fix for the "CBC vulnerability". Here is what a comment says 
about the flag (OpenSSL 1.0.0d)

    /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
     * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
     * the workaround is not needed.  Unfortunately some broken SSL/TLS
     * implementations cannot handle it at all, which is why we include
     * it in SSL_OP_ALL. */

If I understand http://www.openssl.org/~bodo/tls-cbc.txt correctly, the most
notable implementation that does not play well with these empty fragments
was (is?) IE - I don't know how this has evolved over time, I would have to 
research further.

An easy fix for the situation would be to discard SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
but this would risk affecting existing installations.

What do you propose? Should we solve this before the 1.9.3 release? 

(PS: The actual attack and fix are outlined in 

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf

The attack to be presented by Thai Duong and Juliano Rizzo at 

http://ekoparty.org/cronograma.php (caution: currently the site is victim to the "reddit effect")

is very likely to be based on what was already known and should therefore hopefully
require no further fixes.) 

 


-- 
http://redmine.ruby-lang.org