Do you use TLS or client certificates for authentication? Beware of new MITM vulnerability - IT Trenches
Home > IT Blogs > IT Trenches > Do you use TLS or client certificates for authentication? Beware of new MITM vulnerability
>>VIEW ALL POSTS  

IT Trenches

« Stuck on a blacklist? Sue the big guys! Cisco, Microsoft, Comcast, TRUSTe
Free online IT education resource »
Nov 5 2009   4:50PM GMT

Do you use TLS or client certificates for authentication? Beware of new MITM vulnerability



Posted by: Troy Tate
tls, SSL, certificates, web services, authentication, IIS, apache, vulnerability, information security, risk, risk management

As Michael Morisy of ITKE recently posted, New SSL security hole allows man-in-the-middle attacks, a new SSL vulnerability has been announced. What you need to know about this vulnerability is that it most affects TLS (transport layer security) sessions using client authentication certificates. This is a vulnerability at the protocol level which makes it very difficult to fix where a recent previous SSL vulnerability had to do with certificate formats and content.

For specific details from the original researchers, visit the ExtendedSubset.com website. The summary of the announcement is shown below:

 Renegotiating_TLS.pdf

Some helpful protocol diagrams: Renegotiating_TLS_pd.pdf

Packet captures: renegotiating_tls_20091104_pub.zip

This one is definitely going to be interesting to watch. The excitement never ends in the security world. Leave a comment and let other ITKE readers know if you foresee any issues on this vulnerability or if you have taken any specific actions to address the risk. Thanks for reading and let’s continue to be good network citizens.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

Michael Morisy  |   Nov 6 2009   6:21PM GMT

Thanks for the extra information Troy! Very useful resources on this security hole.