On 04/03/2010 01:07 PM, Nelson B Bolyard:
This is true because the attacker can arrange it so that the victim client's first handshake is actually a renegotiation for the server. It's NOT a renegotiation for the client, but it IS for the server. The server has previously negotiated with the attacker, and thinks that it is renegotiating with the attacker, but is actually doing a negotiation with the victim client. To the server it looks like a renegotiation. To the victim client, it looks EXACTLY like a first handshake, not a renegotiation. Whatever credentials the victim client provides in its initial request (client auth, or a cookie, or a basic auth password) will be seen by the vulnerable server as having come from the attacker, because the server thinks it's renegotiating with the attacker. That's how the attack works, and how the attacker uses the victims credentials.
I can see how this can work in cases where all other data to be exploited can be prepend by the attacker. Still, those are probably very rare and unfortunate circumstances, it mustn't happen.
Now, the way that a protects itself from a server's vulnerability is that, in the client hello message, it asks the server "are you fixed"? A Fixed server will answer affirmatively in its server hello message, and an unfixed old server will ignore the request. When the client gets back the server's hello message, if it doesn't contain the extension that says "yes, I'm fixed", the client should drop that handshake right then and there, like a hot potato.
Now I have a question I wanted to ask for a long time. Considering that this design flaw existed for some 14 years and more...how come nobody ever thought about this earlier? Isn't it amazing that such a fairly trivial exploit existed for such a long time? Yourself know the SSL protocols in and out and never thought about it?
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
