ncircle on detecting tls legacy renegotiation

Wanted to point quickly over to an article at nCircle by Chris Pawlukowsky talking about Detecting TLS Legacy Session Renegotiation. I think Chris does a good job describing the issue in text form. Check the bottom of the article for even more technical details.

I expect this to come up a bit more. “Easy” findings like this make auditors squeal in delight to put something on their external non-web-app-pentest scan report. Kinda like the entries that force us to drop SSLv2 and weaker ciphers because they’re, well, weak. Even though the attack itself is exotic and the probability is pretty damn low I’ll ever see this in action in my lifetime.

The TLS renegotiation thing is a bit more interesting, but you gotta admit it is still a bit exotic and still does require weakness in the app itself (unless the attacker can drop down to a weaker cipher or non-encrypted channels). Sounds like something that should be added to The Middler (if it doesn’t do it already). Real attacks would likey need to be tailored to each web app, but I bet there is a universal request that can be made that will throw back an error or something to prove the existence. Should *I* worry about this? No. Should someone working at a place with far higher security interests? Yes. Especially when it can be fixed easily.

One thought on “ncircle on detecting tls legacy renegotiation

  1. “`Easy’ findings like this make auditors squeal in delight to put something on their external non-web-app-pentest scan report”
    It’s already happened.
    https://www.ssllabs.com is now Qualys SSL Labs. I’ve been including these in my reports, but watch it get rolled up into QG and QG PCI.

Comments are closed.