SSL - Secure Socket Layer
Researching for my cryptography-seminar I stumbled accross various interesting bits about SSL. All of this is in or before 2000 so any more recent attacks aren't covered here.
My seminar-paper can be downloaded: Das SSL-Protokoll [PS] (written in German!).
Goldberg, Ian; Wagner, David; Netscape SSL implementati on cracked! Posting on the Cypherpunks-Mailinglist 17. Sep. 1995
[http://www.geocrawler.com/archives/3/91/1995/9/0/183973/]
Basically these guys cracked the random-number generator of Netscape
Navigator < 2.0. In SSL the client determines the session-keys and so
there were able to determine session keys with very little effort.
Kolsek, Mitja; Bypassing Warnings for invalid SSL Certificates in Netscape Navigator, Bugtraq-Posting 10. Mai 2000
[http://www.cert.org/advisories/CA-2000-05.html]
[http://lists.insecure.org/win2ksecadvice/2000/May/0024.html]
A bug in Netscape < 4.73 allowing the attacker to bypass warnings
regarding invalid SSL certificates. Bad thing...
Schneier, Bruce; Wagner, David; Analysis of the SSL 3.0 protocol Publikation von Counterpane Inc.
[http://www.counterpane.com/ssl.html]
How to succesfully attack the SSL protocol with an active attack.
I think, this flaw was fixed in TLS 1.0, but I'm not sure about that.
C. Mitchell, V. Shmatikov, and U. Stern. Finite-State Analysis of SSL 3.0 7th USENIX Security Symposium, pages 201-15, 1998
[http://sprout.stanford.edu/uli/secur/ssl.ps.Z]
These guys proved with a finite state analysis that SSL 3.0 is secure. I'm
wondering if they have read Schneiers paper ;-) Or maybe they refered to
the fixed protocol...
RSAREF2 Buffer-overflow
[http://www.cert.org/advisories/CA-1999-15.html]
Due to patent issues (RSA!), every implementation using RSA was required by RSA
Inc. to use the RSAREF implementation. But due to an implementation issue
(buffer overflow) in the library various implementations, including SSH and
SSL, were vulnerable to attackers.
The SSL and TLS specification themselfes:
Allen, C.; Dierks, T.; The TLS Protocol Version 1.0, RFC 2246
[http://www.ietf.org/rfc/rfc2246.txt]
Freier, Alan O.; Karlton, Philip; Kocher, Paul; The SSL Protocol Version 3.0 Draft 3.02 Transport Layer Security Working Group
[http://home.netscape.com/eng/ssl3/]
RSA Data Security Inc.; Security-Bulletin of RSA Inc. for PKCS1
[http://www.rsa.com/rsalabs/pkcs1/bulletin7.html]
It deals with an implementation problem in various SSL implementations, eg.
IBMs. Some implementations check the validity of the encrypted message
format before checking the MAC. Since the chance to create a valid message
is higher than guessing the correct mac, attackers were able to use
vulnerable servers as a decryption oracle.
stealth@segfault.net, SSL for fun and profit
[http://www.phrack.org/show.php?p=57&a=13]
This uses a flaw in several browsers to make people accepting faulty
certificates. Actually it's a simple and neat trick.