Video Screencast Help
Website Security Solutions

More on the SSL renegotiation attack

Created: 17 Nov 2009 • Updated: 18 Dec 2012 • 2 comments
Tim Callan's picture
0 0 Votes
Login to vote

A researcher has published an exploit that uses the SSL renegotiation attack to compromise Twitter logins. That appears to run counter to earlier assessments that this exploit wasn't aimed at the accounts of individuals accessing sites. So what's going on here, you ask?

This attack does indeed follow the parameters of the attack as previously described. It attaches exploit code to the encrypted stream and indeed cannot decrypt the data going to and from the site. What the inserted exploit code does is take advantage of a vulnerability in Twitter's API that allows it to command Twitter to publish the credentials of the currently active account. And of course the currently active account by definition is the same as the one operated by the site visitor who owns this session.

It's a subtlety, but it matters to our resolution of the problem. This attack combined two vulnerabilities, the recently discovered renegotiation flaw and this hole allowed by the Twitter API. While this same vulnerability doesn't necessarily exist in the APIs of other popular sites with some sort of publishing capability, there certainly is the possibility that it exists in some or many such sites.

This new attack hasn't changed industry's best response in a meaningful way. The software vendors need to develop and push patches. Site operators need to deploy them. What's new here is that while they're waiting for their software providers, site developers can look at their APIs and safeguard against attacks of this nature. And depending on the application, there are other potential defenses as well. For instance, in this case Twitter could offer a two-factor authentication solution to defend users against account takeover. In that scenario, even if a malicious party were to steal the login information, it would be worthless without the offline credential or other factor.

Comments 2 CommentsJump to latest comment

affordable website design's picture

The exploit is significant because it successfully targeted the so-called renegotiation bug to steal twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website.

-3
Login to vote
affordable website design's picture

The exploit is significant because it successfully targeted the so-called renegotiation bug to steal twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website.

0
Login to vote