Parse Transport Layer Security Protocol MITM attack

First, this vulnerability carries some interesting attack methods. Of course, it has a serious impact on those unfortunately recruited. However, to enable attackers to exploit this vulnerability, hackers need to use other vulnerabilities for MITM access. Of course, if you have local subnet access or hackers use DNS spoofing, you can easily perform MITM access. However, these requirements have increased the difficulty for hackers to exploit the vulnerability.

Now, let's review the five rumors about the vulnerability:

Rumor 1: Users should no longer trust HTTPS links provided by online banks and online retailers.

Correct: users do not need to panic about this. If hackers want to exploit this vulnerability, they must first be able to perform MITM attacks. It is worth mentioning that many financial institutions have a set of solutions to ensure that you are their customers. Therefore, although you must always be aware of security and be vigilant when using the Internet, you do not need to feel more fear than before.

Rumor 2: TLS encryption does not work.

Correct: the vulnerability does not allow hackers to read encrypted data. It only allows the plaintext data to be inserted into the encrypted dialog. The encryption strength provided by TLS is not affected by this vulnerability.

Rumor 3: OpenSSL released a patch for this vulnerability.

Rectification: The OpenSSL group has released a hold action that allows administrators to disable SSL restart conversations. For us, it is necessary to be aware that this measure is largely untested and its impact on users, applications, and other servers remains unknown. Anyone who is considering implementing this measure should perform a full test of it in a non-production system.

Rumor 4: hackers are actively exploiting this vulnerability.

Correction: so far, there is no evidence to prove this. Many suppliers and other groups of interest are seeking cooperation and actively monitor the use of this vulnerability. Note that the attack code has been published, so this rumor may become a fact.

Remark 5: This vulnerability only affects HTTP data.

Correct: it is not unique to HTTP, but a TLS vulnerability. Many protocols

TLS is deployed in various ways. Now, it is confirmed that there is a vulnerability in HTTP

However, the vulnerability investigation for other TLS protocols is still in progress. Therefore, we have reason to believe that this vulnerability may also occur in other protocols.

Although this is a very serious vulnerability, it is not as terrible as rumors. Nowadays, many vendors not only evaluate various attack methods, but also develop high-quality patches from regression testing and interoperability testing. This is not a simple process, because there are many types of TLS deployment, and thousands of products may use one or more of them. Note that this is a TLS vulnerability, not just HTTP. Other protocols may also be affected.

ICASI (Internet security improvement Industry Alliance) has always played the role of managers and coordinators in this incident. Many non-consortium suppliers are also involved, and ICASI welcomes all vendors and individuals with direct interests to join.

ICASI released a proposal in November 11, with the core of the proposal directing to suspension measures and detection accessories. In addition, we would like to recommend a tool developed by levisponsecurity that can run on any Windows system. This tool can detect, record, and prevent potential exploratory attacks. Juniper Networks can provide technical support for this tool.

Juniper customers who have purchased IDP and other devices also have detection accessories. Juniper customers have two available attack targets.

SSL: Key Renegotiation-used to detect Key conversations that may be exploratory attacks and restart them. Note: You must test your own environment before setting any interception rules for the policy.

HTTP: Request Injection-only the Juniper device that loads the private SSL key can be used to check SSL traffic. If your IDP version is later than 4.1, you can use it to identify and intercept attacks.