Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL: enable client-side CBC 1/n-1 record splitting #48

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SSL: enable client-side CBC 1/n-1 record splitting #48

wants to merge 1 commit into from

Conversation

mark-kubacki
Copy link
Contributor

To address the BEAST attack vector For ≤TLS 1.0 and CBC ciphers. Effective for s2s connections.

http://googleonlinesecurity.blogspot.de/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html

Signed-off-by: W-Mark Kubacki [email protected]

@daurnimator
Copy link
Contributor

What does this do? Why isn't it a default?

A quick google suggests it only applies to "BoringSSL"..

@mark-kubacki
Copy link
Contributor Author

@daurnimator Erm, please excuse the briefness of the comment. I do assume that it's enough for maintainers of security-related projects to remember what this refers to. I didn't take third parties into account, sorry.

Some SSL implementations have this, and at least one patch has been filed for OpenSSL. Please remember that GNU/Linux distributions often ship with cherry-picked patches.

The reason you need something like that feature in an IV-less TLS variant is this (you get it by searching for »BEAST cbc«):
https://blog.torproject.org/blog/tor-and-beast-ssl-attack
… and then this could happen:
https://www.imperialviolet.org/2012/01/15/beastfollowup.html

It should be on by default, but isn't because it's, well, relatively (4yrs+) new. The client-side implementation has the upside that – if the server doesn't know that feature – worst case it doesn't break anything. Best case is – when the server knows that feature (BoringSSL does, as does Windows' SCHannel) – you close another attack vector.

You cannot neglect that feature because TLSv1.0 is still very common and CBC negotiated quite often. I don't have any numbers at hand (I know Mozilla's telemetry has them for the public), but here's some from 2013:
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html
(You will need to know which cipher suites are TLSv1.2-only to read this, and assume that the same distribution of SSL implementations applies to XMPP servers.)

It's time that XMPP servers catch up and optionally exceed the bar browsers set for TL security.

@daurnimator
Copy link
Contributor

FWIW, I found this comment which where the idea is invented + discussed: https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c59

@neheb
Copy link
Contributor

neheb commented Jan 1, 2020

This should probably be merged.

@Neustradamus
Copy link

@brunoos: Can you look here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

4 participants