DylanJ

Aug 01, 2007 at 2:42 AM

As we all know SSL is a bit flawed .. we are all aware of tools such as Cain and Abel / SSL inspection engines... what i want to know is ... are we fooling the general public with this SSL protocol with the general claim its a secure protocol for banking etc ... im aware in the UK that the banks have changed their TOR indicating that if SSL proxying technology is identified to reside in the data path then it is up to the individual to prove any fraud was not perpetrated by themselves.. this seems a bit harsh ... and a bit impossible .. does anyone have any thoughts on SSL ... i.e due to this proxing capapbility, (( surpressing or creating cert alarms and creating clear text bubble mid transit )) should it be considered a redundant protocol for security purposes... ?? Im confused ...
Matthew van Eerde AKA Maurits

Aug 01, 2007 at 1:29 PM

What's flawed about SSL?
phreaks

Aug 01, 2007 at 4:14 PM

DylanJ wrote:

As we all know SSL is a bit flawed .. we are all aware of tools such as Cain and Abel / SSL inspection engines... what i want to know is ... are we fooling the general public with this SSL protocol with the general claim its a secure protocol for banking etc ... im aware in the UK that the banks have changed their TOR indicating that if SSL proxying technology is identified to reside in the data path then it is up to the individual to prove any fraud was not perpetrated by themselves.. this seems a bit harsh ... and a bit impossible .. does anyone have any thoughts on SSL ... i.e due to this proxing capapbility, (( surpressing or creating cert alarms and creating clear text bubble mid transit )) should it be considered a redundant protocol for security purposes... ?? Im confused ...

How is it not a secure protocol?

When has it ever been cracked or broken?

What the hell are you talking about?

What does Cain have to do with cracking a SSL session?

It can't man-in-the-middle crack an SSL session, and if your console is compromised, well then...
mstefan Windows SDK coders do it without a .NET

Aug 01, 2007 at 4:31 PM

Agreed. I've never heard of SSLv3 or TLSv1 being compromised. I guess it would be technically possible if you intentionally used a weak cipher, but has this actually happened with "real world" use? I've love some links to read.
evildictaitor strcpy(malloc(4), "Oh noes!");

Aug 01, 2007 at 4:55 PM

Cain/Abel does not "crack" SSL; it doesn't use man-in-the-middle decyption. It compromises one end of the protocol, which must be able to decode the SSL because it has the private keys!

For what Cain/Abel is and does:
http://www.issa-balt.org/Documents/Presentations/2006-09_Cain_and_Abel.pdf

Have a couple of quotes:

Author wrote:

APR-HTTPS enables the capture and the decryption of
HTTPS traffic between hosts. It works in conjunction with
Cain's Certificate Collector to inject fake certificates into
SSL sessions, previously hijacked by mean of APR. Using
this trick it is possible to decrypt encrypted data before it
arrives to the real destination performing a what so called
Man-in-the-Middle attack.

Be warned that clients will notice this kind of attack
because the server's certificate file injected into the SSL
session is a fake one and although it is very similar to the
real one it is not signed by a trusted certification authority.
When the victim client starts a new HTTPS session, his
browser shows a pop-up dialog warning about the problem

RoyalSchrubber One. How many time travellers does it take to change a lightbulb?

phreaks wrote:

DylanJ wrote:
As we all know SSL is a bit flawed .. we are all aware of tools such as Cain and Abel / SSL inspection engines... what i want to know is ... are we fooling the general public with this SSL protocol with the general claim its a secure protocol for banking etc ... im aware in the UK that the banks have changed their TOR indicating that if SSL proxying technology is identified to reside in the data path then it is up to the individual to prove any fraud was not perpetrated by themselves.. this seems a bit harsh ... and a bit impossible .. does anyone have any thoughts on SSL ... i.e due to this proxing capapbility, (( surpressing or creating cert alarms and creating clear text bubble mid transit )) should it be considered a redundant protocol for security purposes... ?? Im confused ...

How is it not a secure protocol?

When has it ever been cracked or broken?

What the hell are you talking about?

What does Cain have to do with cracking a SSL session?

It can't man-in-the-middle crack an SSL session, and if your console is compromised, well then...

Well the fact that we've seen at least 6 versions (SSL 1, 2, 3; TSL 1.0, 1.1, 1.2) tells a lot. Also I've heard that only more recent incarnations use stronger cryptographic agorithms (AES).

phreaks

Aug 01, 2007 at 6:05 PM

RoyalSchrubber wrote:

phreaks wrote:

DylanJ wrote:
As we all know SSL is a bit flawed .. we are all aware of tools such as Cain and Abel / SSL inspection engines... what i want to know is ... are we fooling the general public with this SSL protocol with the general claim its a secure protocol for banking etc ... im aware in the UK that the banks have changed their TOR indicating that if SSL proxying technology is identified to reside in the data path then it is up to the individual to prove any fraud was not perpetrated by themselves.. this seems a bit harsh ... and a bit impossible .. does anyone have any thoughts on SSL ... i.e due to this proxing capapbility, (( surpressing or creating cert alarms and creating clear text bubble mid transit )) should it be considered a redundant protocol for security purposes... ?? Im confused ...

How is it not a secure protocol?

When has it ever been cracked or broken?

What the hell are you talking about?

What does Cain have to do with cracking a SSL session?

It can't man-in-the-middle crack an SSL session, and if your console is compromised, well then...

Well the fact that we've seen at least 6 versions (SSL 1, 2, 3; TSL 1.0, 1.1, 1.2) tells a lot. Also I've heard that only more recent incarnations use stronger cryptographic agorithms (AES).

It's still never been cracked. Despite there being literally thousands of people trying everyday to break it.

evildictaitor strcpy(malloc(4), "Oh noes!");

Aug 01, 2007 at 6:05 PM

RoyalSchrubber wrote:

phreaks wrote:

DylanJ wrote:
As we all know SSL is a bit flawed .. we are all aware of tools such as Cain and Abel / SSL inspection engines... what i want to know is ... are we fooling the general public with this SSL protocol with the general claim its a secure protocol for banking etc ... im aware in the UK that the banks have changed their TOR indicating that if SSL proxying technology is identified to reside in the data path then it is up to the individual to prove any fraud was not perpetrated by themselves.. this seems a bit harsh ... and a bit impossible .. does anyone have any thoughts on SSL ... i.e due to this proxing capapbility, (( surpressing or creating cert alarms and creating clear text bubble mid transit )) should it be considered a redundant protocol for security purposes... ?? Im confused ...

How is it not a secure protocol?

When has it ever been cracked or broken?

What the hell are you talking about?

What does Cain have to do with cracking a SSL session?

It can't man-in-the-middle crack an SSL session, and if your console is compromised, well then...

Well the fact that we've seen at least 6 versions (SSL 1, 2, 3; TSL 1.0, 1.1, 1.2) tells a lot. Also I've heard that only more recent incarnations use stronger cryptographic agorithms (AES).

There's been at least three versions of HTTP, and at least five or six different versions of HTML. That doesn't mean they're not secure, merely that the new version can do things better (like adding new algorithms, reducing overheads and bandwitdh costs and adding support for proxy networks).

BryanF

Aug 01, 2007 at 6:27 PM

RoyalSchrubber wrote:

Well the fact that we've seen at least 6 versions (SSL 1, 2, 3; TSL 1.0, 1.1, 1.2) tells a lot. Also I've heard that only more recent incarnations use stronger cryptographic agorithms (AES).

While I'm sure older versions did have weaknesses, it sounds like you're making a mountain out of a mole hill. SSL 1.0 was developed by Netscape, but never released. The first public version, SSL 2.0, was released in 1994, which was found to have substantial security flaws. In response, SSL 3.0 was developed and released in 1996 (over a decade ago). The IETF used this as the basis for TLS 1.0, which is similar but not compatible. TLS 1.1 and 1.2 (the later of which, AFIK, hasn't yet been ratified) are both relatively minor updates, though there are some security enhancements.

In short, one major update (2.0 to 3.0) in 13 years of availability. That doesn't strike me as a broken technology.

Links
http://en.wikipedia.org/wiki/Transport_Layer_Security...
http://tools.ietf.org/html/rfc4346#page-5
http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc4346-bis-04.txt
DoomBringer Doom!

Aug 01, 2007 at 7:00 PM

SSL is secure, depending on what level of cryptographic strengh is enforced. Higher bit strengths are used and better algorythms make it pretty much impossible to achieve either a MITM attack or anything like that. SSL did have its problems, but those have been worked out a long time ago. They were edge cases anyhow, I think.
TommyCarlier Widen your gaze

Aug 02, 2007 at 1:33 AM

It sucks that .NET's SslStream doesn't support AES.
DylanJ

Aug 02, 2007 at 2:53 AM

Hey

What im getting at is the that the general public are unaware of the fact that

1) Their data can be sniffed from their SSL session via technologies such as Blue Coat / Cain .. cain copies the server cert and presents a copy back to the user , the user (dependent on thier config/intelligence) will get a SSL warning that the sites cert is dodgy .. Note: Bluecoat can surpress this message. Users are so used to clicking yes , they may even have clicked always that they are unaware that they have just been snooped ..

2) I know that the ciphers havnt been cracked ... that wasnt my point .. my point is more from a general user perspective

3) Due to this "proxying" a user cannot be sure that somewhere down the data path someone is evesdropping their data.

4) The assumption that all users will understand
      1) The relevane of certificates and what they are
      2) The consequences of clicking yes / or always for the SSL warnings
      Is a bit of a liberty in my opinon .. Yes to a savy user SSL provides end to end security .. however as stated above to those non technical it may prove very costly ..

SECURITY ON THE INTERNET SHOULD PROTECT ALL .. NOT JUST THE TECH HEADS !!!!

Dylan
AndyC

Aug 02, 2007 at 2:58 AM

DylanJ wrote:

1) Their data can be sniffed from their SSL session via technologies such as Blue Coat / Cain .. cain copies the server cert and presents a copy back to the user , the user (dependent on thier config/intelligence) will get a SSL warning that the sites cert is dodgy .. Note: Bluecoat can surpress this message. Users are so used to clicking yes , they may even have clicked always that they are unaware that they have just been snooped ..

Internet Explorer 7 will block navigation to the page if the certificate is invalid. I believe Firefox does something similar as well.

You're absolutely right that technology like SSL on its own is not enough. The endpoint application needs to protect the user from making mistakes by providing clear, consistent advice and by always opting to take a secure path by default and not just relying on dialog boxes full of meaningless text with a yes/no option.
DylanJ

Aug 02, 2007 at 3:07 AM

For those interested ..

http://www.bluecoat.com/downloads/whitepapers/BCS_SSL_wp.pdf

Dylan
DylanJ

Aug 02, 2007 at 3:25 AM

A little note for those of you who obviously cant read .... the word cracked was not used in my original post .. maybe you should go back a re-read
AndyC

Aug 02, 2007 at 4:04 AM

DylanJ wrote:

http://www.bluecoat.com/downloads/whitepapers/BCS_SSL_wp.pdf

It rather involved being on the other side of this airtight hatchway....

Putting an SSL proxy like bluecoat in place requires you to already be in control of the client machines, at which point there are numerous easier ways of subverting security than trying to directly intercept SSL traffic.
blowdart Peek-a-boo

Aug 02, 2007 at 4:10 AM

AndyC wrote:

DylanJ wrote:

http://www.bluecoat.com/downloads/whitepapers/BCS_SSL_wp.pdf

It rather involved being on the other side of this airtight hatchway....

Putting an SSL proxy like bluecoat in place requires you to already be in control of the client machines, at which point there are numerous easier ways of subverting security than trying to directly intercept SSL traffic.

Heck even fiddler2 works as an SSL proxy. Errr, and ISA.
DylanJ

Aug 02, 2007 at 8:21 AM

How can i present this .. erm .

The dialog that appears saying yes no always , as regards the acceptance of the suspicious SSL cert is , i guess the security boudary .. one the user accepts they pass that boundary and are possibly compromised . what im saying is that it is this fact that is the problem ... users shouldnt be bothered with this sort of thing .. they are not , in general experienced enough ..

dj

Thread Closed

This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.

Is SSL dead !

Thread Closed