OpenSSL SSLv2 rollback vulnerability

| TrackBacks (31) |
OpenSSL has announced a new vulnerability in their SSL implementation. Ordinarily, these things are simple (and boring) coding errors, but in this one is kind of an interesting study in how things can go wrong with security protocol implementations.

One common problem in the design of protocols, especially security protocols, is version transitions. If you have multiple versions (or multiple algorithms) you generally want two implementations to use the strongest version (or algorithm) they have in common. But you also want switch-hitting implementations to roll back when they contact older implementations, in order to maximize compatibility. You also want to be able to detect if an active attacker is trying to downgrade you to a weaker set of parameters.

There are three commonly-used versions of SSL: SSLv2, SSLv3, and TLS. Despite the names, TLS and SSLv3 are very similar (and fairly strong) and SSLv2 is different (and somewhat broken). We naturally want to stop active attackers from forcing people's connections down from SSLv3/TLS to SSLv2. To make matters worse, while SSLv3/TLS has defenses against downgrading to weaker algorithms, SSLv2 does not. This makes it even more important to detect downgrade to SSLv2, because the attacker can roll you back to SSLv2 and then to a weaker algorithm inside SSLv2. Of course, it also makes it harder to detect downgrade to SSLv2 by active attackers.

In order to prevent this, SSLv3 and TLS use an interesting trick to detect rollback. When SSLv3 and TLS-capable client implementations communicate with an SSLv2 implementation, they use a special type of padding in the RSA encryption. SSLv3 and TLS server implementations automatically detect this padding and generate an error. What makes this work is that this looks like legitimate padding to ordinary SSLv2-only implementations.

So far so good. Here's the problem: old versions of Microsoft Internet Explorer always used this kind of padding even when SSLv3 had been turned off. This meant that there's no way to make an IE version work in SSLv2 mode with a conforming switch-hitting SSLv3/SSLv3 implementation. In order to compensate for this, OpenSSL had a flag SSL_OP_MSIE_SSLV2_RSA_PADDING, that turned off this check (thus making downgrade attacks possible, but also preserving compatibility). That's not a crazy design decision, but here's where things go wrong: there are a lot of such client bugs, all of which potentially need workarounds, so OpenSSL has a flag called SSL_OP_ALL, which turns them all on for maximal compatibility. This flag is set by default in some common OpenSSL-using programs programs, like mod_SSL.

Of course, if you're smart, you've probably already turned off SSLv2; very few clients are SSLv2 only these days and as I've said, it's not very secure under active attack. In that case, this problem doesn't affect you. But in most programs, having SSLv2 on is the default, and experience indicates that defaults are very powerful. The good news, of course, is that this is only useful for an attacker mounting an active attack on a connection and there's not a lot of evidence that those happen frequently. And of course, there are other potential active attacks (especially social ones) that we don't really control for, so it's not clear how much difference this particular vulnerability makes. Still, now would probably be a good time to turn off SSLv2, patch your copy of OpenSSL, or both.

31 TrackBacks

Listed below are links to blogs that reference this entry: OpenSSL SSLv2 rollback vulnerability.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/437

Escort video clips preview from Free south indian porno movies on October 21, 2005 10:58 PM
moving companies from moving companies on November 2, 2005 3:47 AM

moving companies Read More

walmart Read More

quantas airlines from quantas airlines on December 8, 2005 4:24 AM

quantas airlines Read More

demigod Austria!eater whereas reclaim arrears ominously unconcernedly viagra online http://www.vreporters.com/viagra-online.html Read More

well gift basket from well gift basket on December 15, 2005 11:22 AM

well gift basket Read More

Nude picture of teacher sex Older men with girls sex video clip Sex free vedio clip Indian sluts having har... Read More

spencers gift Read More

donate cars Read More

clonazepam Read More

buy phentermine cod from by phentermmine cod on January 14, 2006 2:10 PM

... Read More

Cool young models Read More

Sexy ladies Read More

southwest airlines from southwest airlines on February 2, 2006 12:42 PM

southwest airlines Read More

Disney World Vacation from Disney World Vacation on February 3, 2006 5:00 AM

Disney World Vacation Read More

Car Hire Read More

Closet and Room Organizer from Closet and Room Organizer on February 5, 2006 6:25 AM

Closet and Room Organizer Read More

buy soma cash on delivery cod from buy soma cash on delivery cod on February 5, 2006 11:19 AM

... Read More

ted airlines from ted airlines on February 7, 2006 8:37 AM

ted airlines Read More

Credit Repair from Credit Repair on February 9, 2006 5:37 AM

Credit Repair Read More

no membership free porn from no membership free porn on February 9, 2006 12:40 PM

TITLE: no membership free porn URL: http://no-membership-free-porn.join-4free.info IP: 195.42.160.19 BLOG NAME: no membership free porn DATE: 02/09/2006 12:40:04 PM Read More

Film Download Read More

http://depression-treatment.it-psp.com - depression treatment Read More

sable wwf Read More

Basketball Hoop Blog from Basketball Hoopblog on February 24, 2006 2:27 AM

Basketball Hoop Read More