Archiv pro měsíc: Červen 2014

Bulletproof SSL and TLS June Update: Cryptography, Protocol, and PKI

I’ve just released the June update of Bulletproof SSL and TLS. This
batch completes the manuscript and brings about 80 new pages across
three chapters

  • Chapter 1, SSL, TLS, and Cryptography, begins with a brief
    introduction to SSL and TLS and discusses where these secure protocols
    fit in the Internet infrastructure. The remainder of this chapter provides
    a basic introduction to cryptography and discusses the classic cryptography
    threat model.
  • Chapter 2, Protocol, discusses the TLS protocol in
    detail. I cover TLS 1.2, with mentions of differences in earlier
    versions where appropriate. An overview of the protocol evolution over the
    years is included at the end for your reference.
  • Chapter 3, Public-Key Cryptography, is an introduction to
    Internet PKI, which is the predominant trust model on the
    Internet today. The focus is on the standards and organizations, as well as
    governance, weaknesses, and possible future improvements.

The manuscript is now complete and has slightly over 500 pages. Previous chapters include:

  • Chapter 4, Attacks against PKI, deals with attacks on
    trust. It covers all the major CA compromises as well as some other ways to
    subvert TLS authentication on the Internet.

  • Chapter 5, HTTP and Browser Issues, is all about the
    relationship between HTTP and SSL, the problems arising from the organic
    growth of the Web, and the messy interactions between different pieces of
    the web ecosystem.

  • Chapter 6, Implementation Flaws, deals with issues arising
    from design and programming mistakes related to random number generation,
    certificate validation, and other key TLS and PKI functionality.
    Additionally, it discusses voluntary protocol downgrade and truncation

  • Chapter 7, Protocol Attacks, is the longest chapter in the
    book at 60 pages. It covers all major protocol flaws discovered in recent years: Insecure Renegotiation,
    BEAST, CRIME, Lucky 13, RC4, TIME and BREACH, Triple Handshake, and the Bullrun program.

  • Chapter 8, Deployment, is the map for the entire book and
    provides step by step instructions on how to deploy secure and
    well-performing TLS servers and web applications.

  • Chapter 9, Performance, focuses on the speed of TLS, providing more
    detail as well as additional performance improvement techniques for
    those who want to squeeze every bit of speed out of their servers.

  • Chapter 10, HSTS, CSP, and Pinning, covers some advanced topics
    that strengthen web applications, as well as pinning, which is a
    way of reducing the large attack surface imposed by our current PKI

  • Chapter 10, OpenSSL Cookbook, describes the most frequently used OpenSSL functionality, largely
    focusing on installation, configuration, and key and certificate management. This is the most polished chapter,
    given that it had been released as a standalone short book in May
    , and then updated in
  • Chapter 11, Testing with OpenSSL, continues with OpenSSL and explains how to use its
    command-line tools to test server configuration. Even though it is often much easier to use an automated
    tool for testing (e.g., the SSL Labs Server Test), OpenSSL remains the de facto standard for troubleshooting.
  • Chapter 12, Configuring Apache, discusses the SSL configuration of Apache httpd.
  • Chapter 13, Configuring Java and Tomcat, covers the current versions of Java and Tomcat,
    and provides full coverage of the SSL/TLS capabilities of Java 7 and 8.
  • Chapter 14, Configuring Microsoft Windows and IIS, discusses the Microsoft Windows
    platform and the Internet Information Server.
  • Chapter 15, Configuring Nginx, discusses the Nginx web server, covering the
    features in the stable and development version equally.

In the next couple of weeks we’ll be working the finishing touches and preparing the book for
printing. After two years of writing, it’s very exciting to be this close to the finish.

If you already have access to the book, here’s the direct link to access
the new content:

If you don’t have the access yet, Bulletproof SSL and TLS is available now
for early access and preorder, at a 10% discount

SSL Labs: New grades for trust (T) and mismatch (M) issues

In the 1.10.x code branch of SSL
, which was deployed to production last week, we
made a change in how we handle assessments with trust issues. Previously,
all certificates that we couldn’t validate (largely because they were
self-signed or issued from a private CA root) were given an F grade. In this
latest version, we introduced two new grades:

  • Trust issues (T); If we don’t trust a certificate (and there
    aren’t any other security issues), we assign it a T grade (for „trust)“.
    This grade is thus used when the server is otherwise well-configured. Just
    below the T grade, we note the grade the server would get if the trust
    issues were resolved.

  • Name mismatch issues (M); In some cases, trust issues come from
    name mismatches and usually when a server doesn’t actually use encryption.
    Such sites now get an M grade (for „mismatch“).

I expect the introduction of these new grades is going to help our users
better understand what’s really going on.

SSL Pulse: 49% vulnerable to CVE-2014-0224, 14% exploitable

Last week (on June 5th), OpenSSL published an
detailing a number of serious problems. The
CVE-2014-0224 vulnerability will be the most problematic for most
deployments because it
can be exploited via an active network (man in the middle) attack.

This vulnerability allows an active network attacker to inject
ChangeCipherSpec (CCS) messages to both sides of a connection and force them
to fix their keys before all key material is available. Weak keys are
negotiated as a result. If you’re interested in the details, Adam Langley
published a good technical

Although virtually all versions of OpenSSL are vulnerable, this problem
is exploitable only if (1) both sides use OpenSSL and (2) the server uses
a vulnerable version of OpenSSL from the 1.0.1 branch.

The good news is that most browsers don’t rely on OpenSSL, which means
that most browser users won’t be affected. However, Android browsers do use
OpenSSL and are vulnerable to this attack. Additionally, many command-line
and similar programmatic tools use OpenSSL. A particularly interesting
target will be various VPN products, provided they are based on OpenSSL
(like, for example, OpenVPN).

Over at SSL Labs, we’ve been testing a remote check for CVE-2014-0224
since Friday. Satisfied that the test is identifying vulnerable hosts
correctly, yesterday we ran a scan against the SSL Pulse dataset. The
results are that about 49% servers are vulnerable. About 14% (of
the total number) are exploitable
because they’re running a newer version of OpenSSL. The rest are
probably not exploitable, but should be upgraded because it’s
possible that there are other ways to exploit this problem.

If you’d like to test your servers, the latest version of SSL
incorporates a check for CVE-2014-0224.