Yet Another SSL Hack Hilites Achilles Heel Weaknesses of “Standards”
Posted by LS on September 23rd, 2011. Category: Blog
We have been strongly opining on the conceptual weaknesses of the SSL protocol for some time, for example here: http://bit.ly/nERJ9Y in this article of ours as well as referencing some excellent thoughts of other, like here: http://bit.ly/g52J3D.
Of course we also felt strongly enough that the SSL has so many faults that FN developed its own protocol, ASL specifically to address all of SSL’s shortcoming, including from our perspective the much more serious threat of phishing.
But enough background, lets get back to today’s topic at hand which was “the plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness”, as quoted directly from Dan Goodin and theregister.co.uk which in IMHO has done an outstanding job of covering SSL’s legion of issues (not to mention most cyber-security topics) and has done so again as related to this latest hack/potential hack, click here for details: http://bit.ly/qFyk2W. (Note that this hack is currently not been verified, but the individuals involved have a strong pedigree and as such we believe it will be confirmed to be valid, post the planned presentation)
Specifically there are 3 interesting things of note about this exploit:
- It has been conceptually known as a weakness for quite some time and also as noted, this exploit does not work against TLS 1.1 or 1.2, both of which have been around for years (and of course doesn’t work against FN’s ASL protocol either…)
- Despite the long history of conceptual weaknesses having a remarkable aptitude for showing up as real threats, the work of Thai Duong and Juliano Rizzo is still impressive (despite the fact that the hack requires a client side component and god knows that once you have client side access to a users machine, there are many more simpler (and powerful) ways to steal data…)
- The real story here is the exposure of two “open source” and “standards” as altruistically naive as linchpin pillars of effective cyber- security. More specifically, standards, like laws or regulation are only as good as their explicit or implicit enforcement and as the pretty well complete lack of adoption of a “standard” that was updated twice to fix/patch vulnerabilities, it’s a pretty sobering reminder that lightweight implementation still remains an important consideration for security products. Said another way, the prospective benefits of upgrading to a newer version of a protocol were pretty well universally deemed less important than the negative impacts to user experience that its adoption might entail. As such, the decentralized adoption requirements and de facto unilateral decision by any party to implement “recommended changes to any standard, no matte how necessary have proven to be more that just a conceptual issue, as this hack clearly outlines.
And so, another day another nail in the SSL coffin (gratuitous chiding on our part) but at some point people will probably start to figure out or care, that someone has in