TLS design weakness affecting client side authentications

A team of security research discover a weakness in TLS design, quote form their website

“A is malicious, it can choose a non-prime group such that the resulting PMS is fully under its control.
if a malicious server Amounts a UKS attack to obtain two sessions (one with C and the other with S) that share the same MS, ciphersuite, and SID, it can forward the abbreviated handshake unchanged from one connection to the other
The easiest mitigation is for web browsers to refuse a change of server identity during renegotiation
Major browsers fixed this. However, there are numerous non-browser TLS clients. It will take lots effort to patch them. This type of weakness is difficult to identify and fix, as the impact is not obvious or cannot be seen by the user.
With almost 20 years passed since TCP/IP invented, most of the low hanging security issues are identified and addressed. We are going to see more occurrence of this type of fundamental and subtle design weaknesses.
The battlefield for security professional is just added another 100 miles !
This entry was posted in Information security strategy and tagged , on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of travel tech statup www.powerdata2go.com Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : antony.linkedin@gmail.com Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s