[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TLS Man-In-The-Middle Vulnerability

To: Erwin Lam <erwinlam@xxxxxx>, or-talk@xxxxxxxxxxxxx
Subject: Re: TLS Man-In-The-Middle Vulnerability
From: Scott Bennett <bennett@xxxxxxxxxx>
Date: Sun, 22 Nov 2009 20:29:14 -0600 (CST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 22 Nov 2009 21:29:27 -0500
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

     On Sun, 22 Nov 2009 23:47:36 +0100 Erwin Lam <erwinlam@xxxxxx> wrote:
>On Thursday 12 November 2009 03:15:20 Nick Mathewson wrote:
>> On Wed, Nov 11, 2009 at 12:59:21PM -0500, Andrew S. Lists wrote:
>> > On 11/05/09 15:52, Nick Mathewson wrote:
>> > > On Thu, Nov 05, 2009 at 02:10:00PM -0500, Marcus Griep wrote:
>> > >> Don't know if any one else has seen or taken a look at this. I
>> > >> don't know if this affects Tor, though I believe that we do use
>> > >> certificate renegotiation in the protocol, and that is the entry
>> > >> vector for this particular vulnerability:
>> > >
>> > > FWIW, this doesn't affect Tor.  The problem here is not
>> > > renegotiation per se; the problem is doing renegotiation, then
>> > > acting as though data sent _before_ the renegotiation were
>> > > authenticated with the rengotiated credentials.
>> > >
>> > > The Tor protocol isn't vulnerable here because 1) it doesn't
>> > > allow data to be sent before the renegotiation step, and 2) it
>> > > doesn't treat a renegotiation as authenticating previously
>> > > exchanged data (because there isn't any).
>> >
>> > The vulnerability itself might not effect Tor, but the OpenSSL
>> > workaround for this vulnerability of disabling renegotiation by
>> > default in 0.9.8l [1] might not play nice with a Tor
>> > implementation.
>>=20
>> Indeed it will not.  We have a fix in svn to make the 0.2.1.x and
>> 0.2.2.x-alpha series both work correctly with OpenSSL 0.9.8l.  With
>> any luck, we should get releases out before too long.
>
>Hi Nick,
>
>Would you mind releasing that updated version a.s.a.p. Tor doesn't work=20
>here at all anymore
>
     You must be just a tad behind in your reading.  The announcement has
already been posted.  Just go to the tor download page, and get it.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

Follow-Ups:
- Re: TLS Man-In-The-Middle Vulnerability
  - From: Erwin Lam

Prev by Author: Re: HTML5 deanonymization attacks
Next by Author: Re: Tor: Scroogle blocked, Google not ? (November 2009)
Previous by thread: Re: TLS Man-In-The-Middle Vulnerability
Next by thread: Re: TLS Man-In-The-Middle Vulnerability
Index(es):
- Author
- Thread