« SSL Labs: Testing for Apple's TLS authentication bug | Main | How to build your own test for Apple's TLS authentication bug »

Bulletproof SSL and TLS March Update: Protocol Attacks

March 04, 2014

I've just released the March update of Bulletproof SSL and TLS. This batch is focused on protocol attacks. In about 50 pages, I cover the major problems discovered in recent years. In chronological order, they are:

  • Insecure renegotiation (2009)
  • BEAST (2011)
  • CRIME (2012)
  • Lucky 13 (2013)
  • RC4 Weaknesses (2013)
  • TIME (2013)
  • BREACH (2013)

This has been a fantastically interesting section to write because, as you're learning about the attacks, you are also learning about some finer details of the TLS protocol, and cryptographic engineering in general. To help with that, I included historical references to the relevant research papers, so you can track the problems from when they were first discovered.

At this point, the book is at about 250 pages. The next update will conclude the "problems" section, covering PKI attacks, implementation issues in libraries and operating systems, HTTP and browser issues. In addition, now that the Java 8 final release candidate is available, I will go through the (existing) Java chapter to document the confirmed new TLS features.

If you already have access to the book, here's the direct link to access the new content:


If you don't have access yet, Bulletproof SSL and TLS is available now for early access and preorder, at a 25% discount:


Yesterday, as I was putting the finishing touches on the today's release, a new TLS protocol attack was published:

Triple Handshakes Considered Harmful:
Breaking and Fixing Authentication over TLS


This is quite an interesting discovery if you're care about secure protocol design, but it's unlikely that you would be affected by the flaw. It might be an issue if you're using client certificates and support renegotiation. I will provide more information in subsequent updates.

Today, GnuTLS is in the news because they announced a serious vulnerability in the certificate validation code (CVE-2014-0092):


An attacker could use this flaw to impersonate any web site in a man in the middle attack. Further details are available in this Hacker News thread:


Two weeks ago (on 21 February), we learned that Apple had fixed a serious TLS connection authentication issue in iOS 6.x and 7.x, but left OS X users vulnerable. After a lot of pressure from unhappy users, Apple released 10.9.2 to deal with the vulnerability.

If you using any of the Apple operating systems, I advise that you upgrade as soon as possible. This problem is very easy to exploit and leaves no trace. I extended the SSL Labs Client Test to detect the vulnerability:


Interestingly, the same OS X security update enabled the BEAST attack counter-measures by default in Mountain Lion (OS X 10.8.5).

MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.