[Security] TLS Triple Handshakes
dave at cridland.net
Tue Mar 4 10:58:48 UTC 2014
On 4 March 2014 10:17, Thijs Alkemade <me at thijsalkema.de> wrote:
> On 3 mrt. 2014, at 22:35, Dave Cridland <dave at cridland.net> wrote:
> On 3 March 2014 21:47, Waqas Hussain <waqas20 at gmail.com> wrote:
>> On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner <fedor.brunner at azet.sk>
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA512
>> > Hi all,
>> > this attack on TLS security may be interesting for XMPP
>> > https://www.imperialviolet.org/2014/03/03/triplehandshake.html
>> > https://secure-resumption.com/#further
>> > The attacker could modify tls-unique channel binding and affect
>> > SCRAM-SHA-1-PLUS authentication method.
> Yes, it's interesting, at a first glance.
> It would, however, only affect clients that do not verify certificates
> properly (at least at the point of sending SASL stuff).
> You also need clients and servers that are perfectly happy to see
> renegotiation, and it's not vastly obvious why XMPP *needs* any
> So something to be aware of, rather than panic over.
> I disagree, there are good reasons to allow renegotiation on XMPP (for
> example: hiding client-side certificates).
I'm willing to go along with that; however any client that was doing
strong-auth and taking the opportunity to hide their certificate would
probably check the server's cert.
> Resumption, on the other hand, I don't see quite as useful for XMPP, due
> to StartTLS. Resumption is vital to this attack.
I don't understand why resumption wouldn't be as useful.
> From my very limited testing with a handful of servers and `openssl
> s_client`, it seems most servers allow renegotiation. Servers running
> Prosody/ejabberd did not allow resumption, but jabber.org (M-Link) does.
> However, it seems the XMPP layer is treating any resumption as if it were a
> new connection.
Yes, it should do.
Resuming a TLS session and resuming the application session is something
that was discussed by (I think) a Nokia paper (Pasi Eironen, from memory).
It requires a substantial amount of support.
Resuming a TLS session and enabling this to be used for authentication (due
to a previous application-layer authentication) was discussed in an I-D I
did years ago.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security