ARP attack and TLS/SSL bug. The end of a real secure SSL. Long life to TLS and it’s extension!

Until a few months ago, you could even go around an internet cafè and navigate somewhere around. No problem, you just needed to avoid doing something too interesting for the potential WiFi neighborhoods.. If you really needed to go into your bank to make some transactions, no problem, you just established an SSL connection and voilà every curious people around was out of the game!

Now things are changed a lot! The problem is that a very serious problem has been discovered in SSL V.1.2 and until it will be patched (probably to version 1.3) an ARP attack can happen and proof of concepts are available in the wild, so be very careful and try avoiding performing transactions in places too croudy!

Here is the problem:  there is a “little” bug in the session re-handshaking of current SSL/TLS protocol that allows keeping the https header “open” to let the Man-In-The-Middle attack to be brought on successfully, this keeping the session cookies to be known to the attacker and allowing this way to the MITM to really impersonate the user. So the MITM can do whatever he wants acting as the actual client and allowing it to receive or not recive what he decides to!!

The “cure” will be a specific “TLS extension” that de-facto will leave SSL protocol obsolete and unsecure as SSL doesn’t allow any extension. This TLS extension won’t allow a renegotiation without the security context already established and in such a try droppong the connectiontha will have to “rebuild” from scratch.

So that is a very serious issue we hope will be soon bring into software and hardware products so that we can keep secure our TLS conversations!

At the time of writing  18-Dic-2009 there is no sw patch availability… we hope that soon there will be.. and we’ll have to upgrade all our sensitive sw: Firefox /IE (if ever!!) in primis!

L.R.