bert
[Entry]
"Short answer: You can 1) wait, 2) avoid connections to important servers on public access points.
First of all, don't get overly scared. Remain calm, and listen to the followup episodes which will surely deal with fixing or circumventing the problem.
As far as I understand, what the described attack makes possible is creating a single TLS (aka SSL) secured request that's can be made look like it's authenticated. The man-in-the-middle will never get to read anything from the connection, he can only insert one malicious request to the beginning of a secure stream. The attacker cannot even read the reply, so he has to rely on doing an requesting an malicious action.
But you are right, this situation does require updating all secure web servers. It cannot be prevented on the client side, so there's no use updating your system. What clients could do is ask if the server happens to know how to prevent this, and simply drop the connection if the server doesn't know anything about it. But... ""you know, if we told our browsers not to allow TLS without renegotiation protection, we couldn't talk to anybody today."" So that protection ends up being the same as simply avoiding TLS.
But before there is a fix... well the fact remains that any TLS connection opened on a public access point could get silently preceded by a one-way malicious request. Of course you woudn't want that reqeust to say ""transfer X money to this Y account"". :) But then again, bank transactions like that require multiple page loads and credential communication, so I don't see any risk there.
And there are worse and more likely threats out there too. This one is just particularly interesting, since there seems to be no way of currently avoiding it. Security people get interested about things like that. The reality seems to be that people can be spoofed a lot more seriously and more easily (simples one is man-in-the-middle turning all HTTPS to unsecure HTTP, and most people won't notice it), so I don't see why someone would bother with this attack. But yeah, to be on the safe side, I would advise on not opening connections to important services on public access points."
|