[Trimmed cc: to just the appropriate public mailing list.]
On Oct 11, 2005, at 7:25 AM, Ian G wrote:
FreeBSD Security Advisories wrote:
Applications which do not support SSLv2, have been configured to not
permit the use of SSLv2, or do not use the
SSL_OP_MSIE_SSLV2_RSA_PADDING
or SSL_OP_ALL options are not affected.
IV. Workaround
No workaround is available.
Isn't the workaround obviously to switch off V2?
Yes. Sorry that wasn't mentioned.
SSL v2 should be disabled anyway. In the browser
world we have been actively moving to a position
of not delivering SSL v2 as enabled by default,
and we've been telling people to switch off SSL
v2 for some time in order to flush out any issues.
(none reported that I know of.)
We *desparately* need this done so that servers
can be switched off SSL v2 so they can deliver
the SSL v3 hello so that we can start to use
virtual hosts. The ability to use more SSL
more frequently feeds into tools that defend
against phishing because they rely on the use
of certificates to cache identity; so this is
actually a highly desirable thing in security
terms.
In the phishing world - where users are being
exposed to losses in the billion dollar range
or so - we are crying out for the removal of v2.
Can this be done?
I agree. The SSLv3 specification was published in 1995 and quickly
adopted. Support for SSLv3 seemed pretty much ubiquitous by 1999.
SSLv2 has several well-known cryptographic weakness with real impact
and should not be used. Summarizing [Rescorla 2000]:
* An attacker may interfere with the SSLv2 protocol negotiation in
order to force the selection of a weak suite of cryptographic
algorithms. (This is the most severe problem for most installations,
IMHO)
* An attacker may inject a TCP FIN packet into an active SSLv2
session, causing data transfer to terminate. This termination will
not be detected by the client or server.
* The only message authentication code (MAC) algorithm available for
SSLv2 is MD5. There have been several developments that have caused
some cryptographers to become concerned about the security of MD5.
* SSLv2 uses the same key for encryption and message authentication,
so that any successful cryptographic attack is a total break.
* A design flaw in SSLv2 client authentication may allow an attacker
to hijack a client's credentials.
I've been concerned enough to disable SSLv2 in most of my own
installations. But now that it is clear that there are downgrade-to-
SSLv2 attacks in some versions of OpenSSL (and probably some other
SSL/TLS implementations), I'm even more concerned.
Cheers,
--
Jacques Vidrine <[EMAIL PROTECTED]>
[Rescorla 2000] Rescorla, Eric. _SSL and TLS: Designing and Building
Secure Systems_. Addison-Wesley, 2000.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
