Re: Can'somebody tell me why SSL2 is still by default
Julien Pierre wrote: RFC 2817 has serious security implications for clients, because it does not specify a distinct URL scheme for TLS upgrade. Browsers are left without a means to enforce encryption on the connection. It is up to the server to upgrade the connection to TLS - or not . I would say that the HTTP TLS upgrade protocol is flawed. For this reason, it should not be implemented in general-purpose browsers such as mozilla. Indeed, this is the very problem that makes people want to abandon SSL2. RFC 2817 is vulnerable to a roll-back attack. An active attacker need only intercept the request to ugprade to TLS and return a response saying that it cannot do so. The client will then continue without any SSL/TLS at all. Even SSL2 isn't that bad! -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
On this thread [EMAIL PROTECTED] said to me: "One quick comment (I will likely respond in more detail later) - SSL V2 should now be off across our entire complex. If you know of any cases where we have specific servers that are still accepting V2 connections, please can you let me know - I will request that it gets turned off." The word is spreading! iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Peter Gutmann wrote: [snip] Are there products around that will actually reject an MSIE handshake with its wrong version number? Yes, All NSS-based server products will do that by default. There is a configuration option to disable the version roll-back detection, and it is conceivable that some NSS-based server products have turned it on, but I doubt it. When NSS-based server products have problems, I always hear about it, and I've yet to hear a complaint that boils down to "IE with TLS enabled doesn't work with our servers". ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Nelson B <[EMAIL PROTECTED]> writes: >Peter Gutmann wrote: >> Gervase Markham <[EMAIL PROTECTED]> writes: >>>SSL3 has a mechanism for detecting an attacker attempting to downgrade a >>>connection between two SSL3 endpoints to SSL2 in order to MITM it, if >>>that's what you mean. >> >> However for TLS Microsoft got their implementation of this wrong (it's still >> wrong in the latest versions of MSIE, last time I checked), so all other >> implementations don't use it in order to work with MSIE/IIS: >Actually, quite a few server products DO properly implement version roll-back >detection. I think that's one reason why IE keeps TLS disabled by default. >Dunno why they don't just fix it. Because in order to be compatible with MSIE, everyone else has to break their code, so there's no need to fix it :-). Are there products around that will actually reject an MSIE handshake with its wrong version number? Since I never use MSIE (apart from testing my own code), I haven't noticed any problems with connecting. I know that when I first saw it I asked another SSL developer about it and he said it was a known problem, and the solution was just to ignore the invalid version number for an MSIE connect. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Ian, Ian G wrote: That was my thought also. And what's more, Ben posted on my blog at https://www.financialcryptography.com/mt/archives/000463.html a week back that Apache 2.1 supports TLS upgrade - http://httpd.apache.org/docs-2.1/mod/mod_ssl.html#sslengine "New in Apache 2.1, SSLEngine can be set to optional. This enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817." The only thing I've ever run into in "the wild" that actually does TLS upgrade as a client is CUPS. Posted by: Ben at May 21, 2005 03:22 PM Sounds very cool and desirable, but it also sounds different to vhosts support. iang RFC 2817 has serious security implications for clients, because it does not specify a distinct URL scheme for TLS upgrade. Browsers are left without a means to enforce encryption on the connection. It is up to the server to upgrade the connection to TLS - or not . I would say that the HTTP TLS upgrade protocol is flawed. For this reason, it should not be implemented in general-purpose browsers such as mozilla. The TLS server name indication extension for CLIENT HELO does not have this security problem, and is the preferred solution to solve the problem of multiple server certs on a single IP/port . ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
On Wednesday 01 June 2005 19:01, Gervase Markham wrote: > Duane wrote: > > This is especially important for web related uses > > as you could also send the hostname you wanted to connect to before > > doing the handshaking, which means if a server has 50 certificates to > > choose from, and you send a specific hostname it can try and match that > > and send you the right certificate, rather then sending a certificate > > which is currently the case. Due to being able to reuse ports it was > > also supposed to serve the (perceived) purpose of reducing the number of > > IPs needed by web hosting companies for encrypted websites. > > As I understand it, this ability (vhosting) is part of SSL 3 as well... That was my thought also. And what's more, Ben posted on my blog at https://www.financialcryptography.com/mt/archives/000463.html a week back that Apache 2.1 supports TLS upgrade - http://httpd.apache.org/docs-2.1/mod/mod_ssl.html#sslengine "New in Apache 2.1, SSLEngine can be set to optional. This enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817." The only thing I've ever run into in "the wild" that actually does TLS upgrade as a client is CUPS. Posted by: Ben at May 21, 2005 03:22 PM Sounds very cool and desirable, but it also sounds different to vhosts support. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Duane wrote: This is especially important for web related uses as you could also send the hostname you wanted to connect to before doing the handshaking, which means if a server has 50 certificates to choose from, and you send a specific hostname it can try and match that and send you the right certificate, rather then sending a certificate which is currently the case. Due to being able to reuse ports it was also supposed to serve the (perceived) purpose of reducing the number of IPs needed by web hosting companies for encrypted websites. As I understand it, this ability (vhosting) is part of SSL 3 as well... Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Ian G wrote: > Something I've been meaning to ask - is there any particular > reason to continue to discuss SSLv3 when instead we could > just talk about and promote TLSv1 ? That is, is there anything > in the two specs and the deployed implementations that might > make one or the other incompatible? TLS was supposed to replace SSLv3 because of functionality reasons more then security ones, in that you could have a port (say 80) that could then escalate to encryption if asked. One of the most widely deployed uses of this is SMTP-TLS, both encrypted and non-encrypted uses the same port (port 25) but when the client first connects to the server it sends a signal to start the encryption handshaking process. This is especially important for web related uses as you could also send the hostname you wanted to connect to before doing the handshaking, which means if a server has 50 certificates to choose from, and you send a specific hostname it can try and match that and send you the right certificate, rather then sending a certificate which is currently the case. Due to being able to reuse ports it was also supposed to serve the (perceived) purpose of reducing the number of IPs needed by web hosting companies for encrypted websites. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
> Nelson B wrote: > > Please read appendix E.2 of the SSL3 specification and TLS standard. > > (It's the same appendix and same text in both documents). > > SSL3 spec:http://wp.netscape.com/eng/ssl3/draft302.txt > > TLS standard: http://www.rfc-editor.org/rfc/rfc2246.txt Something I've been meaning to ask - is there any particular reason to continue to discuss SSLv3 when instead we could just talk about and promote TLSv1 ? That is, is there anything in the two specs and the deployed implementations that might make one or the other incompatible? Now, this is a completely minor and forgettable question - It is clearly much more important to seek&destroy SSLv2 wherever she may be found so as to get to the possibility of running more vhosts and much more TLS. I wouldn't want to derail that, but I was curious briefly... iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Nelson B wrote: > I agree. In fact that's my point. If you're worried about the potential > use of 40-bit ssl2 ciphers, then disable the 40-bit ciphers. It's not just for me ... because i have already done that ... but it is for 90% of the people using mozilla ... and who don't know about what is a cipherlist ... Anyway ... I believe that we get the same point ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Kikx wrote: Nelson Bolyard wrote: 2. That SSL2 allows an attacker to "force you ... to use a very weak encryption". That's just not true. 3DES and 128-bit RC43 are no weaker with SSL2 than with SSL3. An SSL2 client can choose to disallow the "40-bit" ciphers, just as an SSL3 client can. Likewise, an SSL3 client that allows 40-bit ciphers is just as vulnerable with those ciphers as is an SSL2 client. I 'm totally on your side and I approve what you say But the fact is I consider that an attack is an attack if It successes most of the time ... As 40 bit cipher are allowed Perhaps you mean "when the client allows 40-bit ciphers". But the client does not always allow 40-bit ciphers. I have configured my mozilla client to disallow ssl2 40-bit ciphers. No version roll-back attack can force my ssl2 client to use weaker ciphers than those it has been configured to use. it is possible to lower the encryption (for most of the people) For all of the people who enable ssl2's 40-bit ciphers, and for NONE of the people who disable ssl2's weaker ciphers. but only that we should not accuse it of being vulnerable to things it is not. To be really clear - SSLv2 with high encryption is as secure as SSLv3 with high encryption - SSLv2 allows to downgrade the encryption (perhaps we can detect it but most of the time it is not implemented on servers) ssl2 allows an active attacker to force the connection to use a cipher of its choose from among the ciphers enabled mutually by the client and server. If a client enables only "128-bit" ssl2 ciphers, the attacker cannot force the client to use weaker encryption. We have to clearly separate the encryption and the protocol which are definitely different I agree. In fact that's my point. If you're worried about the potential use of 40-bit ssl2 ciphers, then disable the 40-bit ciphers. Thanks for your advise but the fact is that we can do one thing : It is to change some things on mozilla ... not one some servers in the world which don't want to upgrade... Thanks for your advice. -- Nelson BSSL/TLS engineer/developer for mozilla ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Nelson B wrote: > Please read appendix E.2 of the SSL3 specification and TLS standard. > (It's the same appendix and same text in both documents). > SSL3 spec:http://wp.netscape.com/eng/ssl3/draft302.txt > TLS standard: http://www.rfc-editor.org/rfc/rfc2246.txt Thanks for this interesting link > But not all SSL2+SSL3 capable servers implement that rollback attack > detection. I'd guess that the server you used is one of those that does > not. Yes I think so ... I tried with a couple of servers but definitly not all servers :) Thanks Kikx Very interesting ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Nelson Bolyard wrote: > 2. That SSL2 allows an attacker to "force you ... to use a very weak >encryption". That's just not true. 3DES and 128-bit RC43 are no >weaker with SSL2 than with SSL3. An SSL2 client can choose to disallow >the "40-bit" ciphers, just as an SSL3 client can. Likewise, an SSL3 >client that allows 40-bit ciphers is just as vulnerable with those >ciphers as is an SSL2 client. I 'm totally on your side and I approve what you say But the fact is I consider that an attack is an attack if It successes most of the time ... As 40 bit cipher are allowed it is possible to lower the encryption (for most of the people) ... but the fact is even we accept lowest encryption SSL3 avoid changing the cipher list and then the downgrading attack is just useless ... SSLv3 has been implemented in order to be more secure than SSLv2 concerning this issue (not just for that but it is one of the problems) > but only that we should not accuse it of being vulnerable to things it > is not. To be really clear - SSLv2 with high encryption is as secure as SSLv3 with high encryption - SSLv2 allows to downgrade the encryption (perhaps we can detect it but most of the time it is not implemented on servers) We have to clearly separate the encryption and the protocol which are definitely different > I think we are getting ever closer to the day when mozilla can and will > do that. I think so > > Personally, I think we should be more concerned with servers that still > use only the old "export" (a.k.a. 40-bit") ciphers, whether SSL2 or SSL3. Thanks for your advise but the fact is that we can do one thing : It is to change some things on mozilla ... not one some servers in the world which don't want to upgrade... One more time it is not a critisism ... I want just to have an other point of view in order to make some improvements Kikx ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Peter Gutmann wrote: Gervase Markham <[EMAIL PROTECTED]> writes: SSL3 has a mechanism for detecting an attacker attempting to downgrade a connection between two SSL3 endpoints to SSL2 in order to MITM it, if that's what you mean. However for TLS Microsoft got their implementation of this wrong (it's still wrong in the latest versions of MSIE, last time I checked), so all other implementations don't use it in order to work with MSIE/IIS: Actually, quite a few server products DO properly implement version roll-back detection. I think that's one reason why IE keeps TLS disabled by default. Dunno why they don't just fix it. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Gervase Markham <[EMAIL PROTECTED]> writes: >Kikx wrote: >> Yes ... >> but there is still 2 solutions >> - A very big warning if we speak in SSL3 and the answer came in SSL2 >SSL3 has a mechanism for detecting an attacker attempting to downgrade a >connection between two SSL3 endpoints to SSL2 in order to MITM it, if >that's what you mean. However for TLS Microsoft got their implementation of this wrong (it's still wrong in the latest versions of MSIE, last time I checked), so all other implementations don't use it in order to work with MSIE/IIS: /* Microsoft braindamage, even the latest versions of MSIE still send the wrong version number for the premaster secret (making it look like a rollback attack), so if we're expecting 3.1 and get 3.0, it's MSIE screwing up */ Reminds me of the scene from "Asterix in Egypt" where the sphinx souvenir sellers are busy chiselling the noses off their statues, because it's more important to be conformant than correct. Peter. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Kikx wrote: Considering that it's a lack of security and allow man in the middle attack (down negociation only) and even if you would like to use TLS or SSL3 an attaquant can just force you to go to SSL2 and then to use a very weak encryption without any warning ... There are two statements (or implied statements) here that I think need to be addressed: 1. That SSL2 "allow[s] man in the middle attack". Protocol version rollback is NOT the same as a Man In The Middle attack. Rollback is an "active" attack, and a real attack, but of limited consequence for SSL2. I'm not saying we should ignore it, but only that we should not inflate it by calling it something worse than it is. 2. That SSL2 allows an attacker to "force you ... to use a very weak encryption". That's just not true. 3DES and 128-bit RC43 are no weaker with SSL2 than with SSL3. An SSL2 client can choose to disallow the "40-bit" ciphers, just as an SSL3 client can. Likewise, an SSL3 client that allows 40-bit ciphers is just as vulnerable with those ciphers as is an SSL2 client. My point is not that SSL2 is flawless, nor that its life should be prolonged but only that we should not accuse it of being vulnerable to things it is not. Our decisions on whether or not to use SSL2 should be based on facts about its strengths and weaknesses. I really think that mozilla should disable SSL2 I think we are getting ever closer to the day when mozilla can and will do that. or warning a lot when asking in ssl3 and the server response in SSL2 !!! I hope you realize that means warning for EVERY SSL2 server. Kikx Personally, I think we should be more concerned with servers that still use only the old "export" (a.k.a. 40-bit") ciphers, whether SSL2 or SSL3. /Nelson ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Kikx wrote: Gervase Markham wrote: SSL3 has a mechanism for detecting an attacker attempting to downgrade a connection between two SSL3 endpoints to SSL2 in order to MITM it, if that's what you mean. I don't understand your point ... I have writen a program a couple of month before with downgrade a connection to SSL 2 without any warning ... So, you've implemented a version rollback attack. That's an active attack, but is not the same as an MITM. And I can't understand how the "mechanism" works because before the handshake you have no security and as the attaker ask for an SSL2 connexion, there is no more checksum for the transaction in clear text ... then as the transaction in clear are not checked ... the attaker can do whatever he wants (assuming that both of endpoints will accept such a level of encryption) Please read appendix E.2 of the SSL3 specification and TLS standard. (It's the same appendix and same text in both documents). SSL3 spec:http://wp.netscape.com/eng/ssl3/draft302.txt TLS standard: http://www.rfc-editor.org/rfc/rfc2246.txt When a client that is capable of speaking SSL3 does an SSL2 RSA encryption operation, it includes some information in the encrypted data that identifies it as an SSL3 capable client. If the server is a real ssl2-only server, it will ignore this information and proceed normally. If the server is one that is capable of using both SSL2 and SSL3/TLS, then it should detect that it is talking with the SSL2 protocol to an SSL3-capable client, and should treat that as a sign of a version rollback attack. It can then terminate the handshake with an SSL3/TLS alert about the rollback, or if it is an https server, it can complete the handshake but then return a web page that reports the attack. But not all SSL2+SSL3 capable servers implement that rollback attack detection. I'd guess that the server you used is one of those that does not. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Gervase Markham wrote: > Kikx wrote: > >> Yes ... >> but there is still 2 solutions >> - A very big warning if we speak in SSL3 and the answer came in SSL2 > > > SSL3 has a mechanism for detecting an attacker attempting to downgrade a > connection between two SSL3 endpoints to SSL2 in order to MITM it, if > that's what you mean. I don't understand your point ... I have writen a program a couple of month before with downgrade a connection to SSL 2 without any warning ... And I can't understand how the "mechanism" works because before the handshake you have no security and as the attaker ask for an SSL2 connexion, there is no more checksum for the transaction in clear text ... then as the transaction in clear are not checked ... the attaker can do whatever he wants (assuming that both of endpoints will accept such a level of encryption) After that I can understand that we can't just disable the SSL2 but a warning should be welcomed ... and this warning is not in the SSL2 or SSL3 protocols Regards Kikx ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Kikx wrote: Yes ... but there is still 2 solutions - A very big warning if we speak in SSL3 and the answer came in SSL2 SSL3 has a mechanism for detecting an attacker attempting to downgrade a connection between two SSL3 endpoints to SSL2 in order to MITM it, if that's what you mean. - A simple disabling of SSL2 We can't do this until we know how many servers out there are still SSL 2 only, and try and get them fixed. I'm working on getting some data here. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
Yes ... but there is still 2 solutions - A very big warning if we speak in SSL3 and the answer came in SSL2 - A simple disabling of SSL2 Honnestly I don't know what is the best ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Can'somebody tell me why SSL2 is still by default
On Thursday 19 May 2005 12:07, Kikx wrote: > Considering that it's a lack of security and allow man in the middle > attack (down negociation only) and even if you would like to use TLS or > SSL3 an attaquant can just force you to go to SSL2 and then to use a > very weak encryption without any warning ... > > I really think that mozilla should disable SSL2 or warning a lot when > asking in ssl3 and the server response in SSL2 !!! Yes, you are not alone. Gerv recently posted for internal Mozilla consumption (I think) a proposal to test this more formally. http://weblogs.mozillazine.org/gerv/archives/008157.html Spread the word ... turn off SSLv2 everywhere manually. In servers, browsers, etc. If any problems come to light, we can then at least examine them and decide what to do, but given the terribly low numbers of SSL v2 only servers out there (under 2%) I don't see that there will be a problem. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
