For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.
But wait, there’s more..
To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.
Ben has a patch against the current development head of OpenSSL to ban renegotiation, but for most people it’ll need backporting to their current OpenSSL versions..
I would guess that you’re going to see IDS / IPS and firewalls pick up the ability to block SSL renegotiation, as well as patches for major SSL-related applications in the coming months. I’m posting a series of observations on the SSL renegotiation attack at my blog.
Alun [not that one]