Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

From: Jacques Vidrine (jacques_at_vidrine.us)
Date: 10/11/05

  • Next message: Giorgos Keramidas: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl"
    Date: Tue, 11 Oct 2005 09:45:53 -0700
    To: Ian G <iang@iang.org>
    
    

    [Trimmed cc: to just the appropriate public mailing list.]

    On Oct 11, 2005, at 7:25 AM, Ian G wrote:
    > FreeBSD Security Advisories wrote:
    >
    >
    >> Applications which do not support SSLv2, have been configured to not
    >> permit the use of SSLv2, or do not use the
    >> SSL_OP_MSIE_SSLV2_RSA_PADDING
    >> or SSL_OP_ALL options are not affected.
    >> IV. Workaround
    >> No workaround is available.
    >>
    >
    > Isn't the workaround obviously to switch off V2?

    Yes. Sorry that wasn't mentioned.

    > SSL v2 should be disabled anyway. In the browser
    > world we have been actively moving to a position
    > of not delivering SSL v2 as enabled by default,
    > and we've been telling people to switch off SSL
    > v2 for some time in order to flush out any issues.
    > (none reported that I know of.)
    >
    > We *desparately* need this done so that servers
    > can be switched off SSL v2 so they can deliver
    > the SSL v3 hello so that we can start to use
    > virtual hosts. The ability to use more SSL
    > more frequently feeds into tools that defend
    > against phishing because they rely on the use
    > of certificates to cache identity; so this is
    > actually a highly desirable thing in security
    > terms.
    >
    > In the phishing world - where users are being
    > exposed to losses in the billion dollar range
    > or so - we are crying out for the removal of v2.
    > Can this be done?

    I agree. The SSLv3 specification was published in 1995 and quickly
    adopted. Support for SSLv3 seemed pretty much ubiquitous by 1999.
    SSLv2 has several well-known cryptographic weakness with real impact
    and should not be used. Summarizing [Rescorla 2000]:

    * An attacker may interfere with the SSLv2 protocol negotiation in
    order to force the selection of a weak suite of cryptographic
    algorithms. (This is the most severe problem for most installations,
    IMHO)

    * An attacker may inject a TCP FIN packet into an active SSLv2
    session, causing data transfer to terminate. This termination will
    not be detected by the client or server.

    * The only message authentication code (MAC) algorithm available for
    SSLv2 is MD5. There have been several developments that have caused
    some cryptographers to become concerned about the security of MD5.

    * SSLv2 uses the same key for encryption and message authentication,
    so that any successful cryptographic attack is a total break.

    * A design flaw in SSLv2 client authentication may allow an attacker
    to hijack a client's credentials.

    I've been concerned enough to disable SSLv2 in most of my own
    installations. But now that it is clear that there are downgrade-to-
    SSLv2 attacks in some versions of OpenSSL (and probably some other
    SSL/TLS implementations), I'm even more concerned.

    Cheers,

    -- 
    Jacques Vidrine <jacques@vidrine.us>
    [Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building  
    Secure Systems_. Addison-Wesley, 2000.
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Giorgos Keramidas: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl"

    Relevant Pages