A security flaw that has been identified in the Transport Layer Security (TLS) protocol could open the door for man-in-the-middle (MITM) attacks against HTTPS communication. All implementations are said to be vulnerable because the flaw is in the protocol itself. Security researchers are taking steps to resolve the problem.

The flaw was originally found in August by researchers Marsh Ray and Steve Dispensa from security company PhoneFactor. They chose not to widely publicize the issue and began working in secret with other security experts and industry leaders to develop solutions. The flaw became known to the public this week when Martin Rex of SAP discovered it independently and posted a disclosure to the mailing list of the Internet Engineering Task Force.

"After elaborating so much about the client cert authentication through renegotiation with Microsoft IIS, I'm beginning to believe that there is a potential security problem with that scheme, because it is susceptible to a MITM attack," he wrote.

Rex was unaware of the work being done in secret by Ray and Dispensa and he also didn't fully recognize the scope of the vulnerability. In his message to the IETF list, Rex described a potential attack scenario against Microsoft's IIS Web server and suggested that the vulnerability might be exhibited by other implementations too. After word of the security flaw began to spread and the need for secrecy evaporated, Ray and Dispensa came forward and published some additional details and provided insight into the steps that have been taken to ameliorate the protocol defect.

They published a concise paper that explains the relevant technical background and describes a practical attack that will work with both IIS and the open source Apache Web server. They have also published the draft of a new protocol extension that will block the MITM attacks by adding an extra layer of security to TLS renegotiations.

"Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities," they wrote in the report summary. "In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well."

OpenSSL contributor Ben Laurie was one of the experts who was involved in the secret effort to fix the vulnerability. When the issue was disclosed today, he published an OpenSSL patch that provides a temporary fix by completely disabling renegotiation.

Further reading