Categories: SecurityWorkspace

Glaring Flaws Uncovered In Web Encryption Protocols

Some widely used encryption standards on the Internet have gaping holes in them that could allow attackers to bypass protective layers, security researchers have warned. Red Hat has found a long-unnoticed hole in a free software implementation of the TLS security standard, while French security experts have found a way to subvert the TLS protocols themselves with a man-in-the-middle attack.

One of the problems uncovered by Red Hat lies in the GnuTLS library, which has been found to incorrectly handle certain errors that could occur during the verification of an X.509 certificate, used for the handshake process common to this form of encryption. GnuTLS is a free software library that provides an interface to a secure network transport layer. It was created so TLS (transport layer security) could be used by free software – as opposed to open source software which can use the OopenSSL software. This problem meant a connection using GnuTLS could falsely report a successful verification.

Encryption fail

GnuTLS can be used by almost any system, but in practice is mostly limited to Linux systems, many of which also use OpenSSL. Linux users have reported that the software is in fact not so widely used as some have said.

It was a similar problem to that recently seen in iOS and Mac OS X, which also made false validations possible. An attack would see a hacker create a fake certificate and potentially carry out further attacks which appear to come from a legitimate service.

“An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker,” Red Hat wrote in its advisory for its Enterprise Linux 6 product. “Users of GnuTLS are advised to upgrade to these updated packages, which correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted.”

All Linux users or anyone who knows they run the GnuTLS library should update given the apparent severity of the issue, security experts said.

Another SSL encryption weakness

Meanwhile, a more difficult – but more widely applicable – attack has been reported by researchers from the French National Institute for Research in Computer Science and Control. The experts detailed a “triple handshake attack” on TLS/SSL encryption. It sees a malicious server using the same key a client used to connect to a non-malicious server. Normal protections against this are circumvented by injecting session resumption between handshakes.

It is essentially a very smart man-in-the-middle attack, allowing the attacker to spy on a target’s internet traffic and steal credentials for websites the victim visits. The  Internet Engineering Task Force has proposed some countermeasures on its website.

“To summarise the attacks briefly, if a TLS client connects to a malicious server and presents a client credential, the server can then impersonate the client at any other server that accepts the same credential,” the researchers wrote on their website.

“Concretely, the malicious server performs a man-in-the-middle attack on three successive handshakes between the honest client and server, and succeeds in impersonating the client on the third handshake.

“Our attacks exploit a lack of cross-connection binding when TLS sessions are resumed on new connections.”

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

17 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

18 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

19 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago