[Security] TLS Triple Handshakes

Thijs Alkemade me at thijsalkema.de
Tue Mar 4 10:17:22 UTC 2014


On 3 mrt. 2014, at 22:35, Dave Cridland <dave at cridland.net> wrote:

> 
> 
> 
> On 3 March 2014 21:47, Waqas Hussain <waqas20 at gmail.com> wrote:
> On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner <fedor.brunner at azet.sk> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> >
> > Hi all,
> > this attack on TLS security may be interesting for XMPP
> > https://www.imperialviolet.org/2014/03/03/triplehandshake.html
> > https://secure-resumption.com/#further
> >
> > The attacker could modify tls-unique channel binding and affect
> > SCRAM-SHA-1-PLUS authentication method.
> >
> 
> 
> Yes, it's interesting, at a first glance.
> 
> It would, however, only affect clients that do not verify certificates properly (at least at the point of sending SASL stuff).
> 
> You also need clients and servers that are perfectly happy to see renegotiation, and it's not vastly obvious why XMPP *needs* any renegotiation.
> 
> So something to be aware of, rather than panic over.
> 
> Dave.


I disagree, there are good reasons to allow renegotiation on XMPP (for example: hiding client-side certificates).

Resumption, on the other hand, I don’t see quite as useful for XMPP, due to StartTLS. Resumption is vital to this attack.

From my very limited testing with a handful of servers and `openssl s_client`, it seems most servers allow renegotiation. Servers running Prosody/ejabberd did not allow resumption, but jabber.org (M-Link) does. However, it seems the XMPP layer is treating any resumption as if it were a new connection.


Thijs


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/security/attachments/20140304/3979905a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/security/attachments/20140304/3979905a/attachment.sig>


More information about the Security mailing list