RE: Is Openssl vulnerable to Null-Prefix Attacks?
From: owner-openssl-us...@openssl.org On Behalf Of Serge Fonville Sent: Wednesday, 12 August, 2009 04:01 Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack?. The attack is not an attack against SSL/TLS, but against implementation of HTTPS (RFC 2818) , FTPS(RFC 4217) , ... Callers of the openssl library which were wrong can/were fixed without any change in openssl From what I understand, this does not impact any applications other than webbrowsers, since IIRC they are the only ones that having a 'host header' which is part of the request and can be used to detect a proper website by the browser. I believe other services using SSL/TLS do not have those. So an incorrect CN wouldn''t really make any difference. Also, HTTP may be the only protocol that explicitly sends the servername in the request (officially only in 1.1), but it is certainly not the only protocol where a client knows which server they want to connect to and wishes to verify they got the/a correct one, by checking the server cert -- and usually, though not always, specifically checking domainname/wildcard in the server cert. since part of the authenticity check where the null-prefix issue is relevant is only performed clientside. Also this should only impact servercertificates, since clientcertificates would be handled by the server, and with these the requested host is irrelevant since the ssl happens at a different layer. I don't know what you mean by different layer. It is relatively rare to use SSL/TLS client authentication = (keypair+) cert, but when it is used it is at the same layer, and is checked by the server in the same way, and if the server does need to verify its client(s) is subject to the same possible bug/attack. It is true that many Internet applications that need the server to authenticate the client do so at the application layer (e.g. logon/password/dog's-name/etc.) and not the transport layer. Those would not be (directly) affected. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack?. The attack is not an attack against SSL/TLS, but against implementation of HTTPS (RFC 2818) , FTPS(RFC 4217) , ... Callers of the openssl library which were wrong can/were fixed without any change in openssl From what I understand, this does not impact any applications other than webbrowsers, since IIRC they are the only ones that having a 'host header' which is part of the request and can be used to detect a proper website by the browser. I believe other services using SSL/TLS do not have those. So an incorrect CN wouldn''t really make any difference. Also, since part of the authenticity check where the null-prefix issue is relevant is only performed clientside. Also this should only impact servercertificates, since clientcertificates would be handled by the server, and with these the requested host is irrelevant since the ssl happens at a different layer. Probably there are some discrepancies in what I said, so please add any comments you can come up with! HTH Regards, Serge Fonville __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is Openssl vulnerable to Null-Prefix Attacks?
Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger _ Med Windows Live kan du ordna, redigera och dela med dig av dina foton. http://www.microsoft.com/sverige/windows/windowslive/products/photo-gallery-edit.aspx
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Hi, I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NSS is the worst. If anyone disagrees, please explain why! HTH Regards, Serge Fonville On Tue, Aug 11, 2009 at 9:35 AM, Roger No-Spamroger_no_s...@hotmail.com wrote: Recently there has been some discussion on th Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger kolla in resten av Windows LiveT. Inte bara e-post - Windows LiveT är mycket mer än din inkorg. Mer än bara meddelanden __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Recently there has been some discussion on th Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NSS is the worst. Have you read this? http://it.slashdot.org/comments.pl?threshold=-1mode=flatcommentsort=0op=Changesid=1325051 HTH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Is Openssl vulnerable to Null-Prefix Attacks?
When I read through the null prefix attack paper I took it to mean that browser and certificate vendors were not doing an adequate job of verifying domain names. There's nothing inherently wrong with using counted strings (actually that is a step in the right direction IMHO). The problem is that browsers are assuming that a Pascal string is equivalent to a null-terminated string. --Will -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Serge Fonville Sent: Tuesday, August 11, 2009 10:51 AM To: openssl-users@openssl.org Subject: Re: Is Openssl vulnerable to Null-Prefix Attacks? Hi, I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NSS is the worst. If anyone disagrees, please explain why! HTH Regards, Serge Fonville On Tue, Aug 11, 2009 at 9:35 AM, Roger No-Spamroger_no_s...@hotmail.com wrote: Recently there has been some discussion on th Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger kolla in resten av Windows LiveT. Inte bara e-post - Windows LiveT är mycket mer än din inkorg. Mer än bara meddelanden __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Roger No-Spam wrote: Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack?. The attack is not an attack against SSL/TLS, but against implementation of HTTPS (RFC 2818) , FTPS(RFC 4217) , ... Callers of the openssl library which were wrong can/were fixed without any change in openssl OTOH, openssl doesn't make life very easy for clients to compare a hostname against the content of a cert according to 2818. But there is a bug, try 'openssl x509 -text' with -BEGIN CERTIFICATE- MIIDQzCCAiugAwIBAgIGC106rLQUMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYT Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X DTA5MDgwNTIwMzM1MloXDTE3MTAyMjIwMzM1MlowVDELMAkGA1UEBhMCTk4xMTAv BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA rMkv3/hSj5nIM9FZJ0ou0nAL9RBAjKosq9DS7R9GKG0zR++hqrUjtIB304IYhbA2 wAajC6qMO2F+G9Sxvn3dlRCSVlmi/dbvwpJnBYmsXw0a0jlO5WlkNX6Gmo82BKJW utIWaB1X9iQmWDTBulhPqbYawEt8ofsZVlxMPUTS+x0CAwEAAaOBizCBiDAWBgNV HREEDzANggtsb2NhbGhvc3QAaDALBgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYB BQUHAwEwHQYDVR0OBBYEFDEAb4+NfTuIPD3/9tQHpeTMetx+MB8GA1UdIwQYMBaA FBJrJNJKaLehsBzNv9ZMzEBbf+BAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL BQADggEBAA3mVsQEaDLJKiJfDcLQONqVt9EPRGaRCm6RXIGHZ3mGlK3K99YSEeFc VIFuonJmr1agiXpNZuYjVqUNgXG86NPgvZtpWYLCUL4uvZ+QLLRSGeW+BGYY8U35 NE0hI4EsE9VN2FkIGm+xJ0C4VQ8dU3qu3vzgoJQxY2pwl+phzlEQiOaZ9SlNlIJ0 MFycxnAyoqgXMiNKTN0I7IfSGYoZKqSjmOhJpHGqqbZ2dvD9BiWyiROdYam3CqJg hHkVV5JifBsVATXUWPvgcS2N/Ec3hZ95ttwprut9xut7PD1IPE7twJgTEBY833d0 E4n20bhWVhXyil+F42/IqmRveucu6tc= -END CERTIFICATE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org