Ivan Ristić

Adrian Dimcev made an important discovery the other day: the Firefox installation process is vulnerable to MITM attack. If a man in the middle is able to intercept the traffic of someone installing an extension, he will be able to get the user to install something else. Firefox is supposed to check the integrity of the extensions before it installs them, but it seems something somewhere broke, and the check is no longer in place.

This problem will be fixed in the next release (it has been fixed in the repository, it seems), but the fact remains that the installation process is seriously misleading. Looking at the user interface alone, the impression is that the entire installation process is carried out ever SSL. Even worse, the main domain name where the extensions are "stored" uses an EV certificate, so you are made to feel super-safe. In truth, the extensions are downloaded over HTTP from who-knows-where.

With Firefox 3.6 out, I took the opportunity to upgrade the CA root database. Up until earlier today SSL Labs used the Firefox 3.5.1 list, which has 142 certificate authorities on it. The new version of Firefox supports 155 certificate authorities and, now, SSL Labs does too.

After being prompted by Adrian Dimcev, I also added the support for a couple of obscure EXPORT 1024 cipher suites. Thanks Adrian!

The Feisty Duck book store yesterday increased the number of titles on offer by 100%, adding the digital version of Programming in Lua 2ed, written by Roberto Ierusalimschy.

If you don't know about Lua, it's a very nice embeddable scripting language, with low memory consumption, very fast interpreter, and even faster just-in-time compiler. I loved it so much I added it to ModSecurity, and it is now possible to write rules in a proper programming language. It's great for those times when you have complex requirements. I am seeing Lua slowly but surely taking over the open source world (when embedding and fast and reliable operation is required). It's already in ModSecurity, Snort 3.x is using it, and in the future it will be part of Apache too.

The book itself is very good too, with a 5-star score in Amazon.com reviews.

Later today I will be presenting at the OWASP London meeting. The title of my presentation is How to Render SSL Useless, and I will be talking about the recent issues with SSL/TLS, my work at SSL Labs, as well as listing Top 11 SSL deployment mistakes that render SSL useless.

Here's the presentation:

• Download Ivan_Ristic-How_to_Render_SSL_Useless

Someone asked me how to test for SSL connection renegotiation, so I thought I would also write here for the benefit of everyone. Testing is easy provided you have access to an un-patched version of OpenSSL. To test, you will use the s_client tool (you'll type the bits in blue):

$ openssl s_client -connect www.ssllabs.com:443
[snip... a lot of openssl output]
---
HEAD / HTTP/1.0
R
RENEGOTIATING
28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

The idea is that you connect to an SSL server and start by typing the first line of a request. You then type a single uppercase letter R on a single line, which tells OpenSSL to ask for renegotiation. I am aware of the following outcomes:

• Your HTTP request completes, which means that renegotiation is enabled
• You get an error (one such possible error is shown in the example above), which means that renegotiation did not work
• The connection blocks and timeouts after a while, which is how OpenSSL 0.9.8l deals with renegotiation.

Dan Goodin, of The Register, pointed me to a very interesting advisory issued today that again confirms that convenience trumps security, every single time. This particular problem concerns the so-called clientless SSL VPN products, which basically work like a reverse proxies on steroids. When you're on the road, you log into one of these devices and they provide you with a "window" through which you can access the sites you'd normally only see on your own network. Now, I've known about these products for a long time but, never having actually used one, I didn't think much about how they work. Now that I know, I am terrified. They basically map all the sites you're accessing into a single super-site, rewriting everything behind the scenes to maintain the illusion of a browser within a browser.

For example, if your internal's site address is internal.example.com and your clientless SSL VPN's address is vpn.example.com, while you're on the road you access your internal site through https://vpn.example.com/internal.example.com/.

It's pretty slick in how it's very convenient and works with any browser, but it kills the same-origin policy. A single rogue web site that you access through this VPN window is able to take over all your sessions, interact with all your sites and monitor whatever is that you're doing.

And the best part? The problem has been known since at least 2006. You can get more information from Dan's article or from the advisory.

Shameless self-promotion: ModSecurity Handbook, the guide to the world's most popular web application firewall, is now available for instant download.

For a couple of months now I've been working on a new HTTP parser (library), which I am designing for use in intrusion detection systems and web application firewalls. I suppose that HTTP parser is not really an adequate name for this library, because it sounds narrow in scope. In truth, the library will cover all the protocols and encodings used in web applications.

The first user of the parser will be the Open Information Security Foundation (OISF), which is currently building a new IDS from scratch (first release expected on December 31st). The parser itself is going to be released under an open source licence and supported long term.

The biggest challenge with a parser like that is the desire to support an entirely passive mode. Whereas normal parsers are free to interpret the input stream in any way they're pleased for as long they appear to get the job done, a passive parser must be able to decipher traffic intended for multiple web servers, and thus also needs to be aware of the quirks in their processing. Also, without the ability to terminate traffic, opportunities for evasion are rife. The really interesting part of this project is figuring out all the possible ways to evade the parser. I think this is the first time that I will have the time to think like an attacker for as long as I need to do the job properly. I am currently experimenting with the idea of parser personalities, whereas the user is allow to tweak exactly how the parser behaves on per-connection basis. This approach makes it possible to use one set of rules for an Apache web server, and another for an IIS web server.

For the first release of the parser to goal is to be able to parse HTTP streams reliably. In the subsequent versions I will work in the parser's security properties (such as the ability to see through evasion attacks).

A couple of weeks ago, at DeepSec in Vienna, I gave a lightning talk about my work. Matt Jonkman kindly allowed me to use some of the time of his own talk. I am attaching the slides here:

• Download Ivan Ristic - The Challenges of HTTP Intrusion Detection (PDF)

ModSecurity Handbook, which I announced a couple of days ago, is now available for pre-order and early digital access. We managed to meet our self-imposed deadline and have everything ready for November 24th, actually.

This book is a big deal, in more ways than one:

1. It took me more than 5 years to gather courage to start writing another book (after Apache Security, which I started writing in 2004).
2. This book is about ModSecurity, a project that is very dear to my heart. It makes me very happy that I will document everything I know about it.
3. I am releasing the book early because I want to interact with the readers while the content is still not finalised. With Apache Security I ended up being terribly unhappy because I was writing in isolation and because I couldn't seek feedback from the readers prior to publication.
4. To publish this book (and all my subsequent books), my wife and I started a publishing company and dealt with all the stuff that publishers have to deal with. The learning curve wasn't very difficult because of my previous experience in publishing, but there was a lot of things to do.
5. This book will be a living book. I intend to keep it up to date at all times, keeping up with the changes in ModSecurity. We've invested a significant amount of time into polishing a single-source publishing system, where the manuscript is kept as XML (DocBook, stored in a Subversion repository) and automatically converted to any of the supported formats (only PDF at the moment, but several forms of PDF, HTML and ePub in the near future). The system allows me to make changes and push updates instantly to all the readers!

The work is far from done, of course. First, I need to finish the book, first of all. Second, we'll have to figure out how to promote it effectively, and I somehow suspect that will be the hardest part. Perhaps, when it's all done, I'll write a blog post called "Adventures in Computer Book Publishing".

Update: The official Reference Manual and Data Formats Guide guide have been added to the book. There's about 230 pages of material right now, with the final count expected to be close to or over 300.

I've added an initial implementation of the test that determines if an SSL server is vulnerable to the Authentication Gap MITM attack. At this point the assumption is that no server supports the safe renegotiation TLS extension, which means that a warning is displayed if renegotiation is found to be supported.

In the following days, as the implementations of the safe renegotiation TLS extension start to arrive, I will improve the test to take that into account.

It is a pleasure to announce my next book, ModSecurity Handbook, which features an in-depth coverage of ModSecurity, an open source web application firewall. I am very happy because, finally, ModSecurity will have the documentation it deserves.

The main highlights are the following:

• Step-by-step instructions for those just starting out
• Detailed explanations of the internals, and advanced techniques for seasoned users
• Includes the official ModSecurity Reference Manual and Data Formats Guide
• Available in digital format (PDF, HTML and ePub, although not all straight away) and as paperback (once the first edition is complete)
• Continually updated as ModSecurity evolves (with the updates included with purchase)
• Readers can talk to me to shape the book to work better for them

I estimate that the book is about 75% complete. In a week's time (on November 24th) it will be available for early access and pre-order. The idea with the early access is to avoid the problem I experienced with Apache Security -- writing in isolation. This time, I want to engage with my readers before my book is published.

Also, it is pretty important that this book is (and will be) continually updated. I have the entire publishing workflow automated so whenever I make a change to the book, the update is automatically made available to the readers. With this feature, again, I want to avoid the painful experience that I had with Apache Security, where for years I wanted to provide updates but I couldn't. (Apache Security readers, fear not, the second edition is being worked on.) In the future, I hope to evolve the publishing toolchain to enable readers to make comments straight to the HTML version of the book that is kept online.