As a remedy against the previous week to a wider audience has become
known vulnerabilities in SSL / TLS is recommended by safety specialists,
the use of RC4. The Stromchiffrieralgorithmus uses other than AES, which
comes on most servers are used, no cipher-block chaining (CBC) mode.
CBC, however, as it implements to 3.0/TLS SSL 1.0 is vulnerable to
so-called Chosen-plaintext attacks.
Core of the problem are not randomly generated for each block of
initialization vectors (IV), which should ensure that the same blocks do
not generate the same ciphertext. With a kind of guessing (educated
guesses) it is possible in this way, cookies encrypted transmitted much
faster than by brute-force to be determined. In return, an attacker
must, however, by man-in-the-middle attack latch (MITM) into the
compound of a victim to the server and in the context of the victim to
communicate with the server.
The Google security analyst Adam Langley has released more details to.
Therefore enters an ominous JavaScript code that has been puzzled over
the last week or, in the context of MitM attack on an iframe in the
browser of the victim. The script then sends thousands of stuffed SSL
request to the server and evaluates the responses. To automate this
attack, the two security researchers Thai Duong and Juliano Rizzo tool
BEAST (Browser Exploit Against SSL / TLS) were presented.
The problem is with a change to the adopted since 2006 to solve standard
TLS 1.1, then the IVs for CBC are random, so that the described attack
is not working anymore. However, the change is apparently not so easy to
accomplish, because all servers and browsers do not support the standard.
Chrome and Firefox use for analysis Thierry Zoller of the safety
specialists the Network Security Services (NSS), the only support TLS
1.0. Also, Windows Vista, XP, 2000 and Server 2003 and Server 2008 by
default TLS can not even 1.1. Only 7 and Windows Server 2008 R2 can use
TLS 1.1. Opera 10, however, even works with TLS 1.2 server. Changing the
browser configuration is useless if the server does not support it.
The offers usually used in Apache Web Server OpenSSL example, no TLS
1.1, then the only solution switching to GnuTLS or switching to RC4.
Which can be used Ciphersuites in the OpenSSL configuration file
ssl.conf pretend. For instructions about changing an IIS 7 can be found
here: Cipher Suite for Mitigation BEAST.
Google, meanwhile, has a fix in the developer version implemented who
suggested in 2004 by the OpenSSL developers was. To complicate the
control of the attacker to inject plain text, packets are divided and
each packet preceded by a blank.
To date, most manufacturers are holding back the web server and
operators in assessing the problem, probably, because the tool is not
yet publicly available BEAST.
[Update] According to Thierry Zoller is the prepending of empty packages
implemented as protection has long been in OpenSSL. By default it is
active but not for compatibility reasons. [/ Update]
No comments:
Post a Comment