[Security] TLS Triple Handshakes
fedor.brunner at azet.sk
Tue Mar 4 15:16:47 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 03.03.2014 23:35, Dave Cridland wrote:
> On 3 March 2014 21:47, Waqas Hussain <waqas20 at gmail.com> wrote:
>> On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner
>> <fedor.brunner at azet.sk> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>> Hi all, this attack on TLS security may be interesting for
>>> The attacker could modify tls-unique channel binding and
>>> affect SCRAM-SHA-1-PLUS authentication method.
> Yes, it's interesting, at a first glance.
> It would, however, only affect clients that do not verify
> certificates properly (at least at the point of sending SASL
> You also need clients and servers that are perfectly happy to see
> renegotiation, and it's not vastly obvious why XMPP *needs* any
> So something to be aware of, rather than panic over.
There are multiple attacks described in the document.
1. The attack on client certificate authentication uses both
resumption and renegotiation. It's more targeted on behavior of HTTPS
servers and it could be more complicated to exploit it in XMPP, but
2. The attack on SASL channel binding uses resumption, not renegotiation.
The attack applies to scenario where both XMPP client and server use
TLS/SSL libraries that support TLS resumption for example OpenSSL.
If the attacker can forge a valid certificate (for example with the help
of CA), or the XMPP client is ignoring warning about incorrect SSL
certificate (which many users do, see the paper:
Alice in Warningland: A Large-Scale Field Study of Browser Security
then an active attacker can downgrade the security of SCRAM-SHA-1-PLUS
authentication to SCRAM-SHA-1 and do a MITM.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Security