RSS Feed
这个消息可能会令网站主们非常不安,据说所有SSL服务器中有一半以上运行较旧的不安全版本的SSL,黑帽大会上详细分析了针对HTTPS浏览器会话的攻击。
关于SSL网站的好消息就是:大多数SSL网站都运行着强大的加密技术。坏消息就是:超过60%的网站配置不当。
Qualys公司的工程、网络应用程序防火墙和SSL主管和兼究人员 Ivan Ristic 公布了他对1.2亿注册域名的研究结果。Ristic发现其中2000万注册域名支持SSL,而只有72万可能包含有效SSL证书,“据我们所知,这是非常小的比例,但是这并不真正意味着只有一小部分网站在使用SSL。”
更能说明问题的是,在所有SSL网站中,一半以上在使用SSLv2,这是较旧版本的SSL,并且不安全。只有38%的SSL网站配置良好,而 32%在协议中包含之前曝光的重新谈判漏洞。
与此同时,研究人员 Robert Hansen 和 Josh Sokol 详细说明了针对浏览器的HTTPS/SSL的24种利用技术,利用的是中间人攻击。其中包括:cookie中毒和注入恶意内容到浏览器标签。研究人员警告说,HTTPS并不能保证浏览器的保密性和完整性。
“天并没有塌下来,但是目前来说,SSL是相当脆弱的,”Hansen在黑帽大会中表示,“需要有适当的标签隔离、cookie沙盒等。”他推荐使用单独的浏览器来访问包含敏感信息的网站。
同时,Ristic表示,虽然SSL网站的状态在安全方面来说很“一般”,不过现在SSL还很少被攻击者攻击。“我认为,SSL并不是现在常见的攻击向量,因为还有更多更容易攻击的对象,现在我们应该开始修复SSL的问题,这是可以修复的问题。”
三分之二的SSL网站使用的是默认设置,这使它们很容易受到攻击,“为了解决这个问题,你应该提高警惕,与最终用户或者供应商交谈,看看是否能实现更好的配置,这可能也是更可行的解决方案,”Ristic表示。例如,对SSL服务器中不安全协议的默认支持就是一个常见错误问题。
“要配置好SSL服务器只需要花15分钟,为证书选择密钥尺寸,禁用不安全协议,并禁用不安全密码。”
而不安全的SSLv2很容易受到中间人攻击,虽然该版本SSL在大多数主流浏览器中已经禁用,但仍然运行很多SSL网站,“最可悲的就是,超过一半SSL网站支持SSL2,几年来,我们一直知道这是不安全的。”
他发现,而在SSL网站,反而很少或者不支持较安全的TLS1.1和1.2协议。
但调查发现,大多数SSL网站都使用了强大的加密技术,128位甚至更高。整体而言,Ristic表示,只有38.4%的SSL网站在安全和配置方面能够得到A,而只有61.46%可以得到B或者更低分。Ristic计划公布此次调查的所有数据,并且计划每年进行一次调查。
Black Hat 2010: Even with SSL/TLS, browsers still are susceptible to attack
Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.
Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users’ accounts or assume control of a website without the need for any exploits, due to the way browsers implement “HTTPS.” HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.
For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user’s computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.
But the researchers wanted to show that HTTPS protection alone won’t stop bad things from happening.
For example, the pair detailed an attack known as “session fixation” that takes advantage of the fact that banks using HTTPS don’t change a user’s cookie after they login — they simply mark it as valid. As a result, an attacker with MITM control could visit the bank site ahead of the user and set the cookie, essentially logging in the crook as the legitimate user.
Another scenario, known as “delayed pop-up,” involves a user who visits a website, such as a bank, and clicks on a link to go the SSL-protected version of the site. This opens a second tab, but if the attacker has control of the first tab, he is able to change the other HTTPS tab to redirect users to malicious executables or authentication forms.
Still, the reliance on MITM makes the scenarios Hansen and Sokol demonstrated unlikely to happen on a widespread scale, they said.
“You’d have to be a very determined attacker,” Hansen said. “And determined attackers have a lot of other avenues for attack.”
He did say that while “the world is not crashing,” website owners and users should take the threats seriously as they have the potential to threaten secure electronic commerce. Potential mitigations include the browser makers offering tab, port and cookie sandboxing controls.
Hansen added that there are likely “hundreds” of other similar vulnerabilities.
Posted in 
Tags: 
