Home » Questions » Computers [ Ask a new question ]

How do I avoid the new SSL vulnerability?

How do I avoid the new SSL vulnerability?

What can I do today to avoid the new SSL vulnerability?

Asked by: Guest | Views: 307
Total answers/comments: 2
bert [Entry]

"Short answer: You can 1) wait, 2) avoid connections to important servers on public access points.

First of all, don't get overly scared. Remain calm, and listen to the followup episodes which will surely deal with fixing or circumventing the problem.

As far as I understand, what the described attack makes possible is creating a single TLS (aka SSL) secured request that's can be made look like it's authenticated. The man-in-the-middle will never get to read anything from the connection, he can only insert one malicious request to the beginning of a secure stream. The attacker cannot even read the reply, so he has to rely on doing an requesting an malicious action.

But you are right, this situation does require updating all secure web servers. It cannot be prevented on the client side, so there's no use updating your system. What clients could do is ask if the server happens to know how to prevent this, and simply drop the connection if the server doesn't know anything about it. But... ""you know, if we told our browsers not to allow TLS without renegotiation protection, we couldn't talk to anybody today."" So that protection ends up being the same as simply avoiding TLS.

But before there is a fix... well the fact remains that any TLS connection opened on a public access point could get silently preceded by a one-way malicious request. Of course you woudn't want that reqeust to say ""transfer X money to this Y account"". :) But then again, bank transactions like that require multiple page loads and credential communication, so I don't see any risk there.

And there are worse and more likely threats out there too. This one is just particularly interesting, since there seems to be no way of currently avoiding it. Security people get interested about things like that. The reality seems to be that people can be spoofed a lot more seriously and more easily (simples one is man-in-the-middle turning all HTTPS to unsecure HTTP, and most people won't notice it), so I don't see why someone would bother with this attack. But yeah, to be on the safe side, I would advise on not opening connections to important services on public access points."
bert [Entry]

"Don't listen to people who try to scare you! This certainly is not worth changing operating system over.

Just use your internet like normal with your usual DNS provider and don't worry so much. Man in the middle attacks require... a man in the middle and on a standard network, this just doesn't really happen.

If you use Wireless, make sure you are using WPA2 and rotate your keys often, and if using wired, I wouldn't worry.

Don't use public access points as this is where you will most likely run into someone who uses this sort of attack.

Make sure you use a good DNS provider such as OpenDNS.

At the end of the day, your ISP could have a custom route for some IPs and be forging ALL DNS requests, they can block/log/re route anything... Anything can happen in life... Sometimes, you just have to get on with life and balance the pros with the cons!"