SSL/TSL Renegotiation 취약점
최근에 공개된 SSL/TSL Renegotiation 취약약점 입니다.
프로토콜 문제라 SSL/TSL이 구현된 모든 프로그램에 적용됩니다.
새로운 프로토콜에 대한 토의가 활발하게 일어나고 있지만 언제 고쳐져서 적용될지 오랜 시간이 필요할 것 같습니다.
MITM 공격으로 Victim과 Server사이에 특정 페이로드를 삽입할 수 있습니다.
참고 하시기 바랍니다.
--------
A flaw in SSL and TLS, the protocols that make https:// web browsing and other online services secure, was recently disclosed.[1] The flaw allows a malicious "man in the middle" -- an attacker with access to your local network -- to insert their request or data inside your otherwise "secure" connection, using the "renegotiation" mechanism of SSL and TLS.
....
[1] TLS Renegotiation Vulnerability: http://extendedsubset.com/?p=8
[2] Further changes may be necessary to other (non-Web) clients and services at that time. Any connection that uses SSL or TLS is at risk, although it is believed that the effective impact will be less severe for non-web traffic.
--------
http://www.phonefactor.com/ss
http://www.phonefactor.com/sslgap/ssl-tls-authentication-patches
OTL
네칸 꽉 찬게 없는걸
네칸 꽉 찬게 없는걸 보면 완전한 패치는 아직인거죠?
emerge money
http://wiki.kldp.org/wiki.php/GentooInstallSimple - 명령어도 몇 개 안돼요~
http://xenosi.de/
https://xenosi.de/
곧 openssl 1.0 이
곧 openssl 1.0 이 발표될 것 같습니다. (몇년만이냐...)
현재 beta4 이고, 성질급한 fedora 는 이미 이걸 사용하고 있습니다.
0.9.8m 의 changelog 에
*) Implement <a href="https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt" rel="nofollow">https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt</a>. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing. [Eric Rescorla <ekr@networkresonance.com> and Ben Laurie]draft 에 뭐라고 적혀있는지 보지는 않았고요... 확정되면 다시 패치되겠죠.
OTL