Eliminate BEAST, CRIME, Lucky13, RC4, SSLv3 weaknesses from binary/legacy applications

TLS InterposerSecurity is hard. Security that works with a variety of platforms under a flurry of circumstances with an endless choice of applications is practically impossible. SSL and TLS, the Internet security workhorses, try to achieve this feat … and fail from time to time. While some software has been updated, not all of it has. The TLS Interposer provides a new way to upgrade the security of existing applications without breaking compatibility.

The Problem

Over the past few years, SSL/TLS has seen several issues:

  1. Weak ciphers and hashes: DES, 3DES, RC4, and MD5 as well as the weakened-by-design „export“ variants of strong ciphers have been shown to provide sham protection only.
  2. Weak chaining modes such as CBC have been shown to be vulnerable to the BEAST attack.
  3. Many protocol mistakes have been identified.
  4. Information about the compressed-then-encrypted content of packets can be revealed in HTTP traffic using CRIME and BREACH.
  5. Public awareness about eavesdropping by government agencies has raised the wish to use ephemeral keys.

Even though most of these have been solved in some code or other, there remain pieces of software out there that still show some of these problems. This is partly due to interoperability requirements, but also due clients or servers not being updated. Clients are not updated because their users have not enabled automatic updates or are using old, unmaintained software.

Servers can also suffer from the same problems, but frequently the administrator has been using a „long-term“ or „enterprise“ release of the software, which tries to avoid incorporating changes which could cause interoperability problems. In the end, encryption libraries or application sometimes remain outdated and thus vulnerable.

Theoretical Solution

On Linux systems, the most widely used library for SSL and TLS operations is OpenSSL. Frequently, this is updated, but not all applications that use it are. Some of the newer security features require the application to specifically request it:

  1. SSLv3, relying strongly on MD5, needs to be manually turned off.
  2. Weak ciphers need to be manually disabled.
  3. Compression needs to be manually turned off.
  4. ECDHE modes[1]They are the only secure interoperable modes between OpenSSL and newer Internet Explorer versions. need to be manually configured.

Practical Limitations

However, many applications do not provide tunable parameters to control these, nor have they been modified to deal with these settings by default. For example,

  1. Apache 2.2.*, still the most widely distributed version of the popular web server, does not turn on ECDHE support.
  2. ejabberd 2.1.10, the version delivered with Ubuntu 12.04 LTS, does not seem to support any cryptography configuration.
  3. Cyrus mailbox server does not provide any option to configure the above.
  4. Postfix mail transport agent provides only limited configuration, depending on the version.

 Solution: TLS Interposer

At least for the Linux server case, the TLS Interposer provides a workaround: Using LD_PRELOAD, selected SSL/TLS server processes are upgraded to use OpenSSL more securely.

It works by enhancing calls to the OpenSSL initialization functions: In addition to basic initialization, it will do secure initialization.

To take advantage of it, see the TLS Interposer documentation and configuration how-tos for various applications.

Schreibe einen Kommentar