{"title":"针对SSL/TLS重协商漏洞的过渡对策与策略","authors":"Yuji Suga","doi":"10.1109/IMIS.2012.138","DOIUrl":null,"url":null,"abstract":"In November 2009, Marsh Ray, Steve Dispensa and Martin Rex released details of a vulnerability in the SSL and TLS protocols that could allow Man-in-the-Middle attacks to be carried out. SSL and TLS operate between the IP and application layers and ensure application data encryption and data integrity, authenticating the target of communications using X.509 public key certificates. As they are used together with application layer communication protocols such as HTTP, SMTP, and POP, this vulnerability affects a large number of applications and systems. This vulnerability can be attributed to a problem in the SSL and TLS protocol specifications themselves. Fixes have been released for Open SSL and Apache immediately, however most of these involve simply disabling the renegotiation feature that is causing the problem. More thorough measures would require an update to the current specifications and migration to implementations that follow the new specifications. IETF published countermeasures with unprecedented speed as RFC5746, however server-side implementations are not settled. In this paper, we discuss about problems of a transitioning to new specifications including the SSL/TLS renegotiation vulnerability.","PeriodicalId":290976,"journal":{"name":"2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing","volume":"37 9","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Countermeasures and Tactics for Transitioning against the SSL/TLS Renegotiation Vulnerability\",\"authors\":\"Yuji Suga\",\"doi\":\"10.1109/IMIS.2012.138\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In November 2009, Marsh Ray, Steve Dispensa and Martin Rex released details of a vulnerability in the SSL and TLS protocols that could allow Man-in-the-Middle attacks to be carried out. SSL and TLS operate between the IP and application layers and ensure application data encryption and data integrity, authenticating the target of communications using X.509 public key certificates. As they are used together with application layer communication protocols such as HTTP, SMTP, and POP, this vulnerability affects a large number of applications and systems. This vulnerability can be attributed to a problem in the SSL and TLS protocol specifications themselves. Fixes have been released for Open SSL and Apache immediately, however most of these involve simply disabling the renegotiation feature that is causing the problem. More thorough measures would require an update to the current specifications and migration to implementations that follow the new specifications. IETF published countermeasures with unprecedented speed as RFC5746, however server-side implementations are not settled. In this paper, we discuss about problems of a transitioning to new specifications including the SSL/TLS renegotiation vulnerability.\",\"PeriodicalId\":290976,\"journal\":{\"name\":\"2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing\",\"volume\":\"37 9\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-07-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IMIS.2012.138\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IMIS.2012.138","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Countermeasures and Tactics for Transitioning against the SSL/TLS Renegotiation Vulnerability
In November 2009, Marsh Ray, Steve Dispensa and Martin Rex released details of a vulnerability in the SSL and TLS protocols that could allow Man-in-the-Middle attacks to be carried out. SSL and TLS operate between the IP and application layers and ensure application data encryption and data integrity, authenticating the target of communications using X.509 public key certificates. As they are used together with application layer communication protocols such as HTTP, SMTP, and POP, this vulnerability affects a large number of applications and systems. This vulnerability can be attributed to a problem in the SSL and TLS protocol specifications themselves. Fixes have been released for Open SSL and Apache immediately, however most of these involve simply disabling the renegotiation feature that is causing the problem. More thorough measures would require an update to the current specifications and migration to implementations that follow the new specifications. IETF published countermeasures with unprecedented speed as RFC5746, however server-side implementations are not settled. In this paper, we discuss about problems of a transitioning to new specifications including the SSL/TLS renegotiation vulnerability.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
