Security:Renegotiation: Difference between revisions

The purpose of this page is to summarize security issue CVE-2009-3555 that applies to SSL/TLS/https/etc., and to describe what actions are being taken in Mozilla and Firefox products.

The information on this page is preliminary.

Background

In 2009 a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web pages using the "https" method.

This flaw could allow a MITM (man in the middle) to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an Internet user, or to even steal authentication credentials.

This security flaw has been labled CVE-2009-3555 and is being described in more detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

Because the flaw is not specific to any specific software product, but rather a fundamental design flaw, a lot of software using SSL/TLS is vulnerable.

Scope

In order to allow the attack to work, a SSL/TLS protocol feature must be enabled which is called session renegotiation.

One way to protect against the attack is to disable this feature. Hopefully most Internet servers have followed the recommendation and turned the feature off.

Unfortunately, using the old SSL/TLS protocol version, it is not possible to know whether a site is protected or vulnerable.

Because of this, when using the old SSL/TLS protocol versions, Firefox does not know whether it talks to a vulnerable server. Firefox does not know whether a connection has been attacked.

An enhanced SSL/TLS protocol version is currently being finalized and is soon to be published as an RFC, currently located at: http://www.rfc-editor.org/authors/rfc5746.txt.

As soon as both parties of an SSL/TLS session (e.g. Firefox and an Internet Server) are using the new protocol version they will be protected against the attack, and Firefox can be sure the connection is protected.

Action

In order to ascertain that SSL/TLS sessions are protected, most Internet installations using this protocol must be upgraded to support the new protocol (currently draft-rescorla-tls-renegotiation).

Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. Mozilla will include support in stable product versions as soon as possible.

Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act.

As of today (2010-02-08) it would be useless to show a warning indicator to Firefox users in the chrome, because we'd show warnings for 99.9% of the web. It would cause confusion for users and teach them to ignore the warning.

We'd like to wait until a significant percentage of the web has been upgraded to the new protocol, before we start to show a warning for those (few) servers that still haven't upgraded.

However, while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems.

Therefore Firefox (and other Mozilla products) log information about "potentially vulnerable" servers to the Error console.

In the beginning you will receive warnings for many servers. The idea to log this information to the console is experimental, we may disable it if there are too many complaints or if it's causing too much distraction.

However, it would be preferable to keep the information, as the world really needs to be made aware and be reminded to upgrade.

A test server that supports the new protocol can be accessed at https://ssltls.de/

Control

This section describes the behaviour of Firefox (and other Mozilla software) when talking to Internet servers, which may or may not (yet) support the new protocol enhancement, and the preferences users can set to control the behaviour of the Mozilla client software.

When starting a handshake for an SSL 3 or a TLS 1 connection, Mozilla will advertise its support for the new renegotiation extension, so the server can know about it.

Should Mozilla detect that a server asks the Mozilla client to perform a renegotiation on an existing connection, Mozilla may reject or accept this request, depending on the server software and depending on the configuration of the Mozilla client (e.g. Firefox).

In order to understand the following preferences to control Mozilla's behaviour, it's important to understand and carefully distinguish the terms “negotiation” and “renegotiation”.

Negotiation refers to the initial handshake between client and server.

Renegotiation refers to an attempt to repeat the negotiation on an existing connection.

In order to clarify why this distinction is relevant, let's repeat one property of the attack scenarios using the old protocol versions:

The attack requires a renegotiation. However, a renegotiation may happen between a MITM and a server, while the Mozilla client is under the impression that the connection is still at the stage of the initial negotiation.

Only the use of the new protocol versions on both sides of a connection can clarify this and ascertain to be safe against the attack.

Now let's describe the new default behaviour that was introduced in experimental mozilla-central nightly versions on 2010-02-08:

• Mozilla will start the initial negotiation
• it will advertise support for the new protocol
• it will allow the connection regardless of server protocol support
• should the server (or a MITM) request renegotiation, Mozilla will terminate the connection with an error message

The above defaults may break some client/server environments where a Server is still using old software and requires renegotiation. This is often being used when a server asks a client to present a certificate for authentication or when a different level of encryption strength is being enforced for certain resources.

(When the security flaw became public, it has been recommend to strictly separate all content and servers into separate servers, each using homogeneous authentication and security preferences, but not all deployments may have followed this security recommendation.)

In order to give such environments a way to keep using Firefox (et.al.) to connect to their vulnerable server infrastructure, the following preferences are available:

security.ssl.renego_unrestricted_hosts

Empty by default.

This string preference is a list oft host names, separated by comma (,) where renegotiation may be performed, even when using the old vulnerable protocol. No wildcards are supported.

Example: www.dns1.com,mail.dns2.com

security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

Current default value: DEPENDS, see end of section

It's not desirable to set this to true, as it completely disables the new protection mechanisms. However, in controlled environments where many old new server must be accessed, this may be used.

It's highly recommended to leave this at the default value "false", and instead populate preference security.ssl.renego_unrestricted_hosts with a list of hosts that require the exception.

The preference carries "temporarily_available_pref" in its name, as it's supposed to go away later.

Regarding default values:

• The development version of Firefox (3.7-pre) uses "false"
• The stable releases 3.5.9 and 3.6.2 use "true"
• As soon as a sufficient amount of servers had a chance to upgrade, the default in stable releases will be switched to "false", too

security.ssl.treat_unsafe_negotiation_as_broken

Current default value: false

This preference can be used to achieve visual feedback when connecting to a server that still uses old software, not yet supporting the protocols.

When set to true, when connecting to such a server, Firefox will warn about "broken security" by displaying a red/broken padlock in its status bar.

It shall be noted that this indicator isn't of much help with regards to state of the shown page. When you see this indicator, it's already "too late", as a connection to that server has already taken place and an attack may have already taken place.

However, it's still helpful to have this indicator, as it raises awareness of servers that still need to be upgraded. "Evangelists" (for a better web) should ask server operators to perform a server software upgrade in order to protect users and their data.

If you read this page and understand this issue, you are encouraged to switch this pref to true and help with the process to get the web upgraded (by discovering old servers and asking operators to upgrade).

Note: No visual warnings are yet available for other Mozilla software. However, Mozilla clients will produce warnings on the error console for sites that are potentially vulnerable.

security.ssl.require_safe_negotiation

Current default value: false

This pref controls the behaviour during the initial negotiation between client and server.

If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.

Setting this preference to "true" is the only way to guarantee full protection against the attack. Unfortunately, as of time of writing, this would break nearly all secure sites on the web.

Eventually, if enough sites have been upgraded to the new protocol versions, this preference will be set to "true" by default.

Further ideas

security.ssl.treat_unsafe_renegotiation_as_broken and security.ssl.treat_unsafe_renegotiation_as_broken_hosts as per Bug 554594 – Alerts on CVE-2009-3555 TLS Renegotiation in Error Log