Security Street Knowledge
  • SSL Beast – SSL Assessments and How to Fix
  • By: QJax

    Why are most SSL Implementations Vulnerable?

    It has been a year since the SSL BEAST attack was announced, reports continue to surface regarding websites still setup with weak SSL cipher suites.  Posted are a few ideas on how you should secure your websites by implementing strong cipher suites and disabling weaker suites.  The following video (http://www.youtube.com/watch?v=BTqAIDVUvrU) demonstrates how BEAST exploits a weakness in SSL to decrypt secret cookies.

     

    What conditions must be met for exploitation?

    • <>  TLS 1.1 and 1.2 are not vulnerable
    • <> The client will choose the preferred cipher suite, So even with a TLS 1.1 capable browser and server, an attacker can trigger a downgrade to SSL 3.0 and bypass the protections of TLS 1.1. Windows XP by default will negotiate to SSLv3 – RC4-128
    • <>  Some countries may object to the use of 256 bit encryption, but such change could increase the time of decryption > exploitation.
    • <>  Unable to use TLS 1.1, it is not supported by all browsers (i.e. Firefox or IE 7.0)
    • <>  Cipher suites that do not use CBC mode (cipher-block-chaining) are not affected (per Microsoft)

     

    What is the Impact of a successful exploit?

    A successful exploitation of the vulnerability can be used intercept data within the SSL session. For example: to steal client cookies and then leverage cookie to assume the identity of a current HTTPS session that would otherwise be protected from eavesdropping.

     

    Recommendations:

    March 2nd 2014 – The advice contained in this page is outdated and dangerous. All browsers now support and enable TLS 1.1 and 1.2 by default. Forcing RC4 compromises security due to known attacks on the cipher. The only appropriate action is to enable TLS 1.1 and 1.2 on your servers, and disable RC4, MD5 and DE – from

    • <> The focus of security should be both on server-side supported ciphers and client-side ability to choose a non-vulnerable cipher suite. (see below)
    • <> Disable SSLv2 (every place we find it supported due to older well-known weaknesses)
    • <> Set SSL servers to force an offer of higher encryption schemes
    • <> No consideration to enable TLS 1.1 (not supported by all browsers)
    • <> Other SSL Configuration Recommendations:
      • <> Use cipher strengths 128-bit and higher
      • <> Use RC4 encryption above 128-bit
      • <> Avoid AES with use of CBC
      • <> Disable use of Diffie-Hellman key exchange (addresses older vulnerability)
      • <> Disable use of MD5 for integrity checking (predictable hash flaws discovered)

     

    Overall Risk & Assessment Options:

    The easiest would be for web sites and browsers to stop using TLS v1.0, but that may not be practical. The only other choice we have is to start disabling those ciphers that utilize CBC, but that may not work either as there are precious few cypher suites available that do not use CBC. Using stream ciphers will address the issue, but may introduce new ones (RC4 has its own weakness below 128-bit).

    Chrome has already addressed the issue and the fix on the browser side is quite simple and elegant. We should see the other browsers implement something similar over the next few weeks. That doesn’t fix the “implementation of the protocol”, but it will help address the immediate issue of clients being attacked via the SSL Beast.

     

    How to fix SSL on Windows IIS platform [Go Here] or [Here]

    How to fix SSL on Apache platform [Go Here]

    Example Scan and Recommendation of a typical SSL configuration:

    THCSSLCheck v0.1 – (www.thc.org)

    UN/Supported Cipher Suites

    Recommended

    [*] now testing SSLv2

     

    ———————————————————————-

     

                      DES-CBC3-MD5 – 168 Bits – unsupported

    NO

                      IDEA-CBC-MD5 – 128 Bits – unsupported

    NO

                       RC2-CBC-MD5 – 128 Bits – unsupported

    NO

                           RC4-MD5 – 128 Bits – unsupported

    NO

                        RC4-64-MD5 –  64 Bits – unsupported

    NO

                       DES-CBC-MD5 –  56 Bits – unsupported

    NO

                   EXP-RC2-CBC-MD5 –  40 Bits – unsupported

    NO

                       EXP-RC4-MD5 –  40 Bits – unsupported

    NO

     

     

    [*] now testing SSLv3

     

    ———————————————————————-

     

                DHE-RSA-AES256-SHA – 256 Bits – unsupported

    YES

                DHE-DSS-AES256-SHA – 256 Bits – unsupported

    YES

                        AES256-SHA – 256 Bits – unsupported

    YES

              EDH-RSA-DES-CBC3-SHA – 168 Bits – unsupported

    YES

              EDH-DSS-DES-CBC3-SHA – 168 Bits – unsupported

    YES

                      DES-CBC3-SHA – 168 Bits –   supported

    YES

                DHE-RSA-AES128-SHA – 128 Bits – unsupported

    YES

                DHE-DSS-AES128-SHA – 128 Bits – unsupported

    YES

                        AES128-SHA – 128 Bits – unsupported

    YES

                      IDEA-CBC-SHA – 128 Bits – unsupported

    YES

                   DHE-DSS-RC4-SHA – 128 Bits – unsupported

    YES

                           RC4-SHA – 128 Bits –   supported

    YES

                           RC4-MD5 – 128 Bits –   supported

    YES

       EXP1024-DHE-DSS-DES-CBC-SHA –  56 Bits – unsupported

    NO

               EXP1024-DES-CBC-SHA –  56 Bits –   supported

    NO

               EXP1024-RC2-CBC-MD5 –  56 Bits –   supported

    NO

               EDH-RSA-DES-CBC-SHA –  56 Bits – unsupported

    NO

               EDH-DSS-DES-CBC-SHA –  56 Bits – unsupported

    NO

                       DES-CBC-SHA –  56 Bits –   supported

    NO

           EXP1024-DHE-DSS-RC4-SHA –  56 Bits – unsupported

    NO

                   EXP1024-RC4-SHA –  56 Bits –   supported

    NO

                   EXP1024-RC4-MD5 –  56 Bits –   supported

    NO

           EXP-EDH-RSA-DES-CBC-SHA –  40 Bits – unsupported

    NO

           EXP-EDH-DSS-DES-CBC-SHA –  40 Bits – unsupported

    NO

                   EXP-DES-CBC-SHA –  40 Bits –   supported

    NO

                   EXP-RC2-CBC-MD5 –  40 Bits –   supported

    NO

                       EXP-RC4-MD5 –  40 Bits –   supported

    NO

     

     

    [*] now testing TLSv1

     

    ———————————————————————-

     

                DHE-RSA-AES256-SHA – 256 Bits – unsupported

    YES

                DHE-DSS-AES256-SHA – 256 Bits – unsupported

    YES

                        AES256-SHA – 256 Bits – unsupported

    YES

              EDH-RSA-DES-CBC3-SHA – 168 Bits – unsupported

    YES

              EDH-DSS-DES-CBC3-SHA – 168 Bits – unsupported

    YES

                      DES-CBC3-SHA – 168 Bits –   supported

    YES

                DHE-RSA-AES128-SHA – 128 Bits – unsupported

    YES

                DHE-DSS-AES128-SHA – 128 Bits – unsupported

    YES

                        AES128-SHA – 128 Bits – unsupported

    YES

                      IDEA-CBC-SHA – 128 Bits – unsupported

    YES

                   DHE-DSS-RC4-SHA – 128 Bits – unsupported

    YES

                           RC4-SHA – 128 Bits –   supported

    YES

                           RC4-MD5 – 128 Bits –   supported

    YES

       EXP1024-DHE-DSS-DES-CBC-SHA –  56 Bits – unsupported

    NO

               EXP1024-DES-CBC-SHA –  56 Bits –   supported

    NO

               EXP1024-RC2-CBC-MD5 –  56 Bits –   supported

    NO

               EDH-RSA-DES-CBC-SHA –  56 Bits – unsupported

    NO

               EDH-DSS-DES-CBC-SHA –  56 Bits – unsupported

    NO

                       DES-CBC-SHA –  56 Bits

    NO

     

  • Comments: Off Category: Uncategorized
  • Tags: , , , , , , , , , , , , , , , ,

Comments are closed.

cyber3.jpg