Security:Renegotiation: Difference between revisions

The purpose of this document is to summarize security issue CVE-2009-3555 which applies to SSL/TLS/https/etc., and to describe what actions are being taken in Mozilla and Firefox software.

The information contained within this article is preliminary, and is subject to change.

Background

In 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with “https”.

This flaw could allow a ‘man-in-the-middle’ (MITM), to be able to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an authorised user, or to even collect authentication credentials of authorised users.

This security flaw has been labled CVE-2009-3555 and is (being) described in more detail:

• CVE-2009-3555
• National Vulnerability Database (CVE-2009-3555).

Because the flaw is not limited to any specific software implementation, but is rather a fundamental protocol design flaw, a lot of software using SSL/TLS is vulnerable.

Scope

In order to allow the attack to work, a SSL/TLS protocol feature must be enabled which is called session renegotiation.

One way to protect against the attack is to disable this feature. Hopefully ,most Internet servers have followed the recommendation and disabled the renegotiation feature.

Unfortunately, when using the present, flawed SSL/TLS protocol version, it is not possible to determine whether a site is protected or vulnerable.

Because of this uncertainty, when using the existing SSL/TLS protocol versions, Firefox does not know whether a server it communicates with is vulnerable. Firefox, therefore, is unable to determine whether a connection has been attacked.

An enhanced SSL/TLS protocol version is currently being finalized and is soon to be published as RFC 5746.

As soon as both parties of an SSL/TLS session (e.g. Firefox and a Web server) are using the new protocol version they will be protected against the attack, and Firefox can, again, assume the connection is protected.

Action

In order to ascertain that SSL/TLS sessions are protected, most Internet installations using this protocol must be upgraded to support the new protocol version (currently draft-rescorla-tls-renegotiation).

Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. Mozilla will include support in stable product versions as soon as possible.

Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act.

As of February 2010, it would be useless to show a warning indicator to Firefox users in the chrome, because users would be shown warnings for 99·9% of SSL/TLS sites. It would cause confusion among users, and would teach them to ignore this warning, and possibly other similar-looking warnings.

We'd like to wait until a significant percentage of the web has been upgraded to the new protocol version, before we start to show a warning for those (few) servers that still haven't upgraded.

However, while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems.

Therefore Firefox (and other Mozilla products) log information about “potentially vulnerable” servers to the Error console.

In the beginning you will receive warnings for many servers. The idea to log this information to the console is experimental, we may disable it if there are too many complaints or if it's causing too much distraction.

However, it would be preferable to keep the information, as the world really needs to be made aware and be reminded to upgrade.

A test server that supports the new protocol version can be accessed at https://ssltls.de/

Control

This section describes the behaviour of Firefox (and other Mozilla software) when talking to Internet servers, which may or may not (yet) support the new protocol enhancement, and the preferences users can set to control the behaviour of the Mozilla client software.

When starting a handshake for an SSL 3 or a TLS 1 connection, Mozilla will advertise its support for the new renegotiation extension, so the server can know about it.

Should Mozilla detect that a server asks the Mozilla client to perform a renegotiation on an existing connection, Mozilla may reject or accept this request, depending on the server software and depending on the configuration of the Mozilla client (e.g. Firefox).

In order to understand the following preferences to control Mozilla's behaviour, it's important to understand and carefully distinguish the terms “negotiation” and “renegotiation”.

Negotiation refers to the initial handshake between client and server.

Renegotiation refers to an attempt to repeat the negotiation on an existing connection.

In order to clarify why this distinction is relevant, let's repeat one property of the attack scenarios using the old protocol versions:

The attack requires a renegotiation. However, a renegotiation may happen between a MITM and a server, while the Mozilla client is under the impression that the connection is still at the stage of the initial negotiation.

Only the use of the new protocol versions on both sides of a connection can clarify this and ascertain to be safe against the attack.

Now let's describe the new default behaviour that was introduced in experimental mozilla-central nightly versions on 2010-02-08:

• Mozilla will start the initial negotiation
• it will advertise support for the new protocol version
• it will allow the connection regardless of server protocol support
• should the server (or a MITM) request renegotiation, Mozilla will terminate the connection with an error message

The above defaults may break some client/server environments where a Server is still using old software and requires renegotiation. This is often being used when a server asks a client to present a certificate for authentication or when a different level of encryption strength is being enforced for certain resources.

(When the security flaw became public, it has been recommend to strictly separate all content and servers into separate servers, each using homogeneous authentication and security preferences, but not all deployments may have followed this security recommendation.)

In order to give such environments a way to keep using Firefox (et.al.) to connect to their vulnerable server infrastructure, the following preferences are available:

security.ssl.renego_unrestricted_hosts

Empty by default.

This string preference is a list oft host names, separated by comma (,) where renegotiation may be performed, even when using the old vulnerable protocol. No wildcards are supported.

Example: www.dns1.com,mail.dns2.com

security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

Current default value: DEPENDS, see end of section

It's not desirable to set this to true, as it completely disables the new protection mechanisms. However, in controlled environments where many old new server must be accessed, this may be used.

It's highly recommended to leave this at the default value “false”, and instead populate preference security.ssl.renego_unrestricted_hosts with a list of hosts that require the exception.

The preference carries “temporarily_available_pref” in its name, as it's supposed to go away later.

Regarding default values:

• The development version of Firefox (3.7-pre) uses “false”.
• The stable releases 3.5.9 and 3.6.2 use “true”.
• As soon as a sufficient amount of servers had a chance to upgrade, the default in stable releases will be switched to “false”, too.

security.ssl.treat_unsafe_negotiation_as_broken

Current default value: false

This preference can be used to achieve visual feedback when connecting to a server that still utilises the old protocol version, not yet supporting the new, enhanced protocol version(s).

When set to true, when connecting to such a server, Firefox will warn about “broken security” by displaying a red/broken padlock in its status bar.

It should be noted that this indicator isn't of much help with regards to state of the connection used to retrieve the content. When you see the indicator, it's already “too late”, as a connection to that server has already been established and an attack may have already occurred.

However, it's still helpful to have this indicator, as it raises awareness of servers that still need to be upgraded. “Evangelists” (for a better web) should ask server operators to perform a server software upgrade in order to protect users and their data.

If you read this page and understand this issue, you are encouraged to switch this pref to true and help with the process to upgrade Web servers (by discovering servers using vulnerable versions, and asking operators to upgrade).

Note: No visual warnings are yet available for other Mozilla software. However, Mozilla clients will produce warnings on the error console for sites that are potentially vulnerable.

security.ssl.require_safe_negotiation

Current default value: false

This pref controls the behaviour during the initial negotiation between client and server.

If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.

Setting this preference to “true” is the only way to guarantee full protection against the attack. Unfortunately, as of time of writing, this would break nearly all secure sites on the web.

Eventually, if enough sites have been upgraded to the new protocol versions, this preference will be set to “true” by default.

Further ideas

security.ssl.treat_unsafe_renegotiation_as_broken and security.ssl.treat_unsafe_renegotiation_as_broken_hosts as per Bug 554594 – Alerts on CVE-2009-3555 TLS Renegotiation in Error Log — Comment #2