Security:Renegotiation
The purpose of this page is to summarize security issue CVE-2009-3555 that applies to SSL/TLS/https/etc., and to describe what actions are being taken in Mozilla and Firefox products.
The information on this page is preliminary.
Background
In 2009 a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web pages using the "https" method.
This flaw could allow a MITM (man in the middle) to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an Internet user, or to even steal authentication credentials.
This security flaw has been labled CVE-2009-3555 and is being described in more detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
Because the flaw is not specific to any specific software product, but rather a fundamental design flaw, a lot of software using SSL/TLS is vulnerable.
Scope
In order to allow the attack to work, a SSL/TLS protocol feature must be enabled which is called session renegotiation.
One way to protect against the attack is to disable this feature. Hopefully most Internet servers have followed the recommendation and turned the feature off.
Unfortunately, using the old SSL/TLS protocol version, it is not possible to know whether a site is protected or vulnerable.
Because of this, when using the old SSL/TLS protocol versions, Firefox does not know whether it talks to a vulnerable server. Firefox does not know whether a connection has been attacked.
An enhanced SSL/TLS protocol version is currently being finalized and is soon to be published as an RFC, currently labeled as draft-rescorla-tls-renegotiation.
As soon as both parties of an SSL/TLS session (e.g. Firefox and an Internet Server) are using the new protocol version they will be protected against the attack, and Firefox can be sure the connection is protected.
Action
In order to ascertain that SSL/TLS sessions are protected, most Internet installations using this protocol must be upgraded to support the new protocol (currently draft-rescorla-tls-renegotiation).
Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. Mozilla will include support in stable product versions as soon as possible.
Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act.
As of today (2010-02-08) it would be useless to show a warning indicator to Firefox users in the chrome, because we'd show warnings for 99.9% of the web. It would cause confusion for users and teach them to ignore the warning.
We'd like to wait until a significant percentage of the web has been upgraded to the new protocol, before we start to show a warning for those (few) servers that still haven't upgraded.
However, while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems.
Therefore Firefox (and other Mozilla products) log information about "potentially vulnerable" servers to the Error console.
In the beginning you will receive warnings for many servers. The idea to log this information to the console is experimental, we may disable it if there are too many complaints or if it's causing too much distraction.
However, it would be preferable to keep the information, as the world really needs to be made aware and be reminded to upgrade.
Control
Firefox introduces multiple hidden (about:config) preferences to control how Firefox (and other Mozilla software) will behave when talking to servers that do not yet support the new SSL/TLS protocol enhancement.