Impact of TLS/SSL Renegotiation Vulnerability on HTTPS: Less Known Issues

Submitted by abb on Sun, 09/12/2010 - 13:10

There is a couple of issues with TLS/SSL renegotiation vulnerability in the context of HTTPS protocol, which appear not to have made their way to the public.

1. Plain text prefix injection is not the only risk. The original advisory [1] mentions the possibility of "forwarding and repurposing of client certificate authentication credentials". In oss-sec maillist Marsh Ray goes in more details [2], and [3] dedicates one slide to "client certificate redirection".

2. The renegotiation vulnerability provides for an additional attack vector to exploit web application vulnerabilities. For example, MiTM attackers can use it to deliver an exploit for a non-persistent XSS bug to client's browser.

References:

[1] http://www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf
[2] http://seclists.org/oss-sec/2009/q4/137
[3] http://www.troopers10.org/content/e728/e897/e903/TROOPERS10_History_of_…

Contacts

+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
Belgium
VAT: BE 0821.897.133.