Friday, January 2, 2009

Broken MD5, cracked SSL, and the end of all trust

Here's a shocker for you - a major security vulnerability in the grass-roots of the Internet is disclosed, and more importantly proven possible, and security professionals, vendors, and journalists are missing the forest for the trees.

I'm not going to say that I'm the only one who is seeing the "bigger picture" because that would be arrogant and stupid, but after a decently lengthy chat with my colleague Eugene today over this topic, and reading up about it on the various news wires and the disclosure page itself... it's obvious the point is being missed, big time.

The original disclosure post has an interesting quote that most analyses have glossed over -
Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites.

Taken from a post on InternetNews [linked here]:

Mozilla's Johnathan Nightingale, a security and usability specialist at the group, said that the attack could pose a threat to some users but that Mozilla is not aware of any instances of it occurring.

"We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections," he wrote in a post on Mozilla's security blog.
While Johnathan defends Mozilla's [good] name I think he demonstrates 2 fundamental issues with the way this particular item is being handled in the press and in the blogs:
  1. Mozilla is not aware of any instances of this occurring - of course not, that's the point! While this attack was theoretical since 2007, and now real but with the assistance of a massive computing effort; it may very well have been exploited by organized crime or hostile governments for a long time due to their access to funds and such computational abilities. Saying "we've never heard it being actually exploited" is like saying "sure, the car could burst into flames, but no one's ever reported that"... that's because those people are likely already dead!... get the parallel there?
  2. Mozilla advises users to exercise caution when interacting with sites that require sensitive information - great advice except that I would be willing to bet that even though the proverbial cat's out of the bag 99.999% of people won't ever look that closely at every SSL cert presented to their browser. In fact, I would be willing to be most security people won't look that closely either... That's the actually scary thing about this type of attack - it's an actual silent killer.
Not to pick on Mozilla or Johnathan in particular, Microsoft's quote is equally worrisome:
Likewise, Microsoft issued Security Advisory 961509, in which it said the vulnerability does not significantly increase the risk to customers, since its discoverers had not published the cryptographic background to the flaw, which hackers would need to mount an attack.
The vulnerability absolutely increases the risk to customers... how could you argue that it doesn't? People around our security community have traditionally argued against sounding the alarm for computationally expensive and "theoretical" attacks like this due to the fact that the average hacker doesn't have the means to execute such an attack. Here's the caveat that no one likes to talk about - organized crime and hostile governments have this type of cash and computational ability to spare... and they're the enemy. So how does anyone really know this attack hasn't been perpetrated yet?

Here's why I think these types of analyses are falsely-calming to the user populous...
  1. They create a false sense of security... people are lulled into believing that "it's not that big of a deal" and can't actually be done and they go back to being careless
  2. I can't think of a single way that any of today's existing automated anti-phishing checkers would not be fooled by this well-executed attack...
  3. This attack is the final piece of the puzzle to completely blow away our trust in the existing internet underpinnings (hint: XSS + DNS flaw + SSL hack = complete disaster)
So now I'll get to the final point here, and that is this: we're very, very screwed.

As you know, the Dan Kaminsky DNS flaw was ugly and shook the very foundations of our belief and trust in the Internet. Couple that with a Cross-Site Scripting (XSS) attack or an open-redirect, and add the SSL hack as the cherry on top and you have an attack situation where you can completely fool the user and any automated systems in place today. This announcement should herald the doom and gloom we've all been trying to counter for years - the Internet is fundamentally broken.

As I've said before, and will likely repeat again - the underpinnings of the Internet are fundamentally broken...
  • SSL is at best a time-mitigant against attack (only meant to protect you as long as the cipher being used withstands current processing power brute-force) - and this is now proving to be breakable
  • There is no "step-up" function from with the browser SSL framework that I can locate. Most browsers can "step down" to support a lower encryption algorightm, but servers and browsers alike have no method to "step up" encryption strenghts
  • DNS is an old, out-dated protocol which every communication on the Intenet hinges on... including SSL! With something so basic being so broken... how can you trust your browser?
  • Improper handling of client-side input (leading to XSS, SQLi, etc) is amplifying the attack strength of these issues with SSL and DNS...
So there you have it... think bigger than Phishing though... think, and every other dns-based, SSL-based system auto-update.

Worried yet?
Others also said the threat won't impact many online users.
I would like to meet these "others"... and ask them what they are thinking, exactly.

Related Articles:


leif.thande said...

Not that I want to underestimate this flaw, but to me the Internet was broken from the very beginning. SMTP and ARP are a joke on a security standpoint and even TCP has it's problems (Path-MTU attacks for instance).

The fact is that the Internet protocols were written at a time were security wasn't even considered because the network was small. It's been a patchwork for the last 15 years, trying to add layers to secure the most proeminent flaws while keeping it as backward-compatible as possible.

Still, one of the best security precepts is that SECURITY ISN'T A FEATURE, it's not some magical powder that you can add at the end that shields your system, it must be considered from the very beginning. The best thing to do would be to rewrite those protocols from scratch but it's unthinkable from an economic standpoint, just look at what is happening with IPv6. So as the computing power increases, we'll continue to see new kind of attacks in the next years. Guess we'll have to live with it.

Anonymous said...

There are some solutions to these problems. See for a good example.