Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 May 2015 19:15:22 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Subject: On sanctioned MITMs

In recent times, we've seen the growing popularity of CDNs such as
Akamai Prolexic, CloudFlare, and Incapsula that, among other services,
provide upstream DDoS mitigation to vulnerable servers.

In the context of SSL/TLS, the interposition between client and server
can take many forms. For example, CloudFlare offers products such as
"Flexible SSL", "Full SSL", and "Full SSL (strict)" [1]. In addition,
they've recently rolled out a new product they call "Keyless SSL".

Hushmail is a email provider that prominently advertises security and
built-in encryption [2]. In the past day or two, Hushmail webmail access
began getting handled by CloudFlare [3] & [4]. CloudFlare's server, in
effect a sanctioned man-in-the-middle, serves its own X.509 certificate
issued by "GlobalSign Organization Validation CA - G2" (attached). The
certificate has a *.hushmail.com DNS name in its SAN extension so
browsers with the GlobalSign certificate in their root store proceed
without incident when connecting to https://www.hushmail.com.

Though Hushmail email credentials, for example, can't be sniffed in the
segment connecting the client to CloudFlare, they are available to
CloudFlare's infrastucture. Moreoever, there is no way for the client to
verify that the segment connecting CloudFlare to the destination server
is similarly encrypted (i.e. it might be in the clear as would be the
case when using CloudFlare's "Flexible SSL" product).  

Hushmail's CloudFlare usage serves as an example that brings me to my
general point.

How should the security community view this growing use of sanctioned
MITM in light of the ever-increasing amount of sensitive content sent
over SSL/TLS encrypted channels (e.g. email, electronic banking, medical
records, etc.)?

--mancha

=====

[1] https://www.cloudflare.com/images/ssl/ssl.png

[2] https://www.hushmail.com

[3] dig www.hushmail.com

id 20483
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
www.hushmail.com. IN A
;ANSWER
www.hushmail.com. 299 IN A 104.16.15.172
www.hushmail.com. 299 IN A 104.16.19.172
www.hushmail.com. 299 IN A 104.16.17.172
www.hushmail.com. 299 IN A 104.16.18.172
www.hushmail.com. 299 IN A 104.16.16.172
;AUTHORITY
;ADDITIONAL

[4] whois 104.16.15.172

NetRange:       104.16.0.0 - 104.31.255.255
CIDR:           104.16.0.0/12
NetName:        CLOUDFLARENET
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335
Organization:   CloudFlare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2014-03-28
Comment:        https://www.cloudflare.com
Ref:            http://whois.arin.net/rest/net/NET-104-16-0-0-1

=====

-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgISESGVuB3asQnetzcsV4gb4dQ4MA0GCSqGSIb3DQEBBQUA
MF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTMwMQYD
VQQDEypHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gRzIw
HhcNMTUwMTI4MTk0OTMzWhcNMTUxMDE3MjE1ODM5WjBuMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoMEENs
b3VkRmxhcmUsIEluYy4xHzAdBgNVBAMMFnNzbDg1MDQuY2xvdWRmbGFyZS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMFFWIk+AxxscWXDITqsdl
wwZGkpwUwOmqqRp60Yp8b0mS9jDeQwgXbKz0hEvgbXE7M4M0LhyX+H9frB2Tn4qR
/eUNa+sKySTqiAWG/U+1iwK4fm4qm7rhneDxbhmZWfRQIDzP1cQNT4JC4YIGqlOu
/mTovXXoh6Rtr4ZRFPi6HeXmH+TPP2ay4X+q1d9If/qXm7o35TlIStsJbT0Zxnis
32Zby6VXe2gWHdDRCktJm0y1w+eR+jgQJJkhUA9Bq2R1iuAd1TDc3dkPEjMlXFWq
aCUA2h6ssitAN8FAUzS46lKYSUvrpOQED7EmvFNeXYRqYuiQEd2F1dHacwXq+aRd
AgMBAAGjggHqMIIB5jAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+BgZngQwB
AgIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVw
b3NpdG9yeS8wPwYDVR0RBDgwNoIWc3NsODUwNC5jbG91ZGZsYXJlLmNvbYIOKi5o
dXNobWFpbC5jb22CDGh1c2htYWlsLmNvbTAJBgNVHRMEAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vY3Js
Lmdsb2JhbHNpZ24uY29tL2dzL2dzb3JnYW5pemF0aW9udmFsZzIuY3JsMIGWBggr
BgEFBQcBAQSBiTCBhjBHBggrBgEFBQcwAoY7aHR0cDovL3NlY3VyZS5nbG9iYWxz
aWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxnMi5jcnQwOwYIKwYBBQUH
MAGGL2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXphdGlvbnZh
bGcyMB0GA1UdDgQWBBT1qYp5c/XGK80ToWYR3GsoFIDs/TAfBgNVHSMEGDAWgBRd
RrKNxEt0HLvt9XO2Orc4j3WefjANBgkqhkiG9w0BAQUFAAOCAQEAFgbklFy9iZDN
TqwySwur8F/TNxzdmxZH5pumk9hrtzS2Sc8j5qTcx+zK2N4nt9sGmQ1Q4fqtftFR
U7zSj0x55lXHY415/79jse6ji7rw3n5xGlyKuaB1mQ8Tf5/MNm+syzqzyjDvKWmx
M99wzpOh+6Cm4HhLuw12w6zq0vCn8+R9ecup2VWxBHgMI2H9bIz9eSMpVeSi/DFr
TAr/hUBrEaF0P9YF0JSfzrm78URmz7Jpm/LofEAtqdtaPSus1F7KjUxznKuD7SJD
b8F4+hNfj7GEg3RN/0Al5rUThgfhDfXtsoD4JYfsnKPvJxPeDGh8fljtF1/jy/bJ
Cbq6bet3jw==
-----END CERTIFICATE-----


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ