You may have heard about the latest SSL vulnerabilities over the last month, but how do they work and what does it mean to you (or your users)?

When I earlier described how SSL works, I glossed over two SSL functions: session resumption and re-negotiation. These two functions allow a client or server to renegotiate an SSL connection if they decide they want to use new keys. Session resumption allows the client to use a previous session ID, and have this happen faster – without renegotiating new keying material.

These optional protocols allow a man-in-the-middle (MITM) attack. The MITM gets authentication information from the client headers (through sniffing, DNS spoofing, etc.) and replays those to the server – asking for renegotiation. The server complies, and now the attacker is the “client” of the server, and the “server” to the client – using the previous client’s authentication information. All implementations have this particular problem.

There is also another attack that depends on the configuration of the server, but is part of the protocol as well. When the server allows different authentication for different paths and one path requires client authentication, a MITM can take advantage of this. The client makes a request, but since the server doesn’t know yet whether client authentication is required, it has to negotiate the connection without client authentication. Once the server determines that the request is for a path requiring client authentication, the server renegotiates the connection – and it uses the client’s original request (GET/POST/etc.) – meaning it can be replayed.

These attacks can allow someone to insert themselves between you and an SSL protected site – like your online bank – without either the client or server knowing. And that little lock on your web browser that says you’re connected to the correct site? Meaningless. This is bad. The good thing about these particular attacks is that the attacker has to have compromised your network (or the server’s) in order to get in the middle, but with recent DNS attacks, that’s no longer impossible.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

I don’t think it’s possible to have too many network security toolkits. Netwox is probably not as common some of the other toolsets included in some security-oriented live CD distros. However, it can certainly hold its own when it comes to capability and flexibility.

Netwox stands for the Network Toolbox and the software includes over 222 different tools/functions that it can perform to help you do whatever it is you want to do on a network. This includes everything from spoofing arp packets, to becoming a telnet server, to running port scans and sniffing traffic.

Even though some of the “tools” aren’t done with efficiency in mind, they get the job done just fine. And with so many features to play with, it can be fun just to try out all the switches.

Netwox can be downloaded here.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Another iPhone killer is here. DROID. Whether you’re a fan of either product, or you’re still thumbing away on your Blackberry or WinMo device, there’s one thing to be said. There are plenty of apps now. A couple years ago it was a pretty daunting task to get any sort of application on your device that wasn’t already on your carrier’s supported list. WinMo users have been the only real open crowd here as every version of Windows Mobile has supported most of the older apps since the Windows CE days. But with the rise of more and more applications comes the rise of the risks associated with these applications.

Read the rest of this entry »