Security
Let's talk about perfect forward secrecy
Perfect forward secrecy (PFS) is a security feature that comes up fairly regularly in debates about privacy, but historically it gets little discussion. At least, far less discussion than what are perceived as "core" features of a cryptosystem like key strength, message verification, or the web of trust. But that disparity is in part the result of a perception that PFS guards against some unlikely attack scenarios, such as a well-funded adversary capturing months or years' worth of traffic. Thanks to the recent revelations of bulk NSA surveillance, however, those scenarios suddenly seem a lot less unlikely to a lot of users, so PFS is attracting considerable attention.
The basic definition of forward secrecy is that compromising one encrypted conversation does not enable an attacker to then compromise any subsequent conversations. The simplest negative example would be using the same key to encrypt every session: if the key is discovered, the attacker can decrypt the current session and every session that follows. The fact that said attacker can also decrypt older sessions has not traditionally been a been part of the discussion (although it is true), probably because of the unlikelihood that most attackers would have been capturing sessions all along to begin with. After all, old SSL connection traffic is not recorded on servers at your favorite online shopping site—at least as far as anyone knows.
Thus, forward secrecy is a property that stems from how and when keys are generated and used, rather than from the ciphers involved. It essentially means that encryption keys must be ephemeral. Note that OpenPGP, for example, does not have forward secrecy, since its key pairs are by definition long-term assets. If a user's private key becomes public knowledge, the key can no longer be trusted by the user for future encryption and must be replaced, but all old messages encrypted with it are suddenly vulnerable to decryption, too.
There is a bit less agreement on what perfect forward secrecy means above and beyond mere forward secrecy (if indeed there is such a distinction), but the term PFS is typically used to indicate stronger guarantees against the domino-like compromise of one session from another. For example, if a long-term key is used to algorithmically derive a new ephemeral key for each session, some would argue that the forward secrecy is not "perfect." In such a scenario, if a session's ephemeral key was captured, no other sessions could be decrypted with it, but if the long-term key was captured, deriving the session keys—for multiple sessions—might be possible. Which key-derivation schemes and key-exchange protocols are perfect enough to count as PFS varies somewhat in the reading material. In common usage, however, the distinction rarely even comes into play, probably because so few encryption implementations in the wild offer forward secrecy at all.
PFS is a tad peculiar in at least one sense: it describes a property of a particular session that only provides protection to other sessions. That is, the presence or absence of PFS only comes into play when at least one private conversation has been decrypted (or one secret key can been captured). Perhaps it is no wonder, then, that it would remain an afterthought to hardening the rest of the system.
Present perfect
In practice, whether or not any given Internet connection has PFS depends on several factors. First and foremost is the availability of a key-exchange protocol that has PFS, but second is the practical question of whether the two parties in the conversation can agree on a PFS key exchange. That, of course, depends on things outside of the individual's control, such as the configuration of the remote web server.
The Diffie–Hellman key exchange protocol can offer PFS if it generates a new key (by using a new set of parameters) for every session. This is the default behavior, and the great majority of implementations use ephemeral parameters, but for clarity it is common to refer to this behavior as "ephemeral Diffie–Hellman" (EDH or DHE), just to be on the safe side.
PGP-style encryption, as it was noted above, does not offer PFS. But SSH does, since SSH session keys are ephemeral and are exchanged between hosts using DHE. Similarly, the Off-the-Record Messaging (OTR) protocol for instant messages uses DHE for key exchange, so it too offers PFS (in addition to several other privacy and security features). IPSec supports PFS as an option; when enabled, a new DHE key exchange is performed for each new session. But as a percentage of total Internet connections, all of these protocols account for but a fraction when compared to SSL/TLS, which is where the practical problem lies.
The SSL/TLS protocol supports a wide array of "cipher suites." Each cipher suite is a specific combination of a key-exchange algorithm, encryption algorithm, message authentication code, and pseudorandom function. In the handshake step of connection establishment, the client (e.g., web browser) and server each have their own cipher suite preferences; the client presents its list to the server, which is supposed to choose the top option that is supported by both.
DHE and its variant Elliptic Curve DHE (ECDHE) are two of the available options for key exchange, so users would be wise to place them at the top of their cipher-suite preferences. However, the majority of public web servers does not support DHE or ECDHE, so in practice most HTTPS connections are established without PFS. In June 2013, Netcraft published a look at PFS on the web, noting that of the eight most popular web service providers mentioned in the NSA surveillance scandal (Facebook, Twitter, Yahoo, Google, Microsoft, AOL, Apple, and Paltalk), only Google's servers negotiated for a PFS cipher suite during connection.
Most of the remaining web servers simply use public-key encryption to protect connection setup instead, with the client encrypting its part of the handshake with the server's public SSL certificate. The curious can investigate any server's configuration with SSL Labs's server test tool. While the RSA algorithm used for certificates has proven itself quite resistant to attack, to many it is not sufficient for NSA-proofing an SSL/TLS connection. A government agency could obtain the server's private key (i.e., the secret key which complements the SSL certificate that clients use to encrypt those initial messages to the server) with a court order or warrant, at which point any captured SSL/TLS connection from the server could be decrypted.
Naturally, an attacker in possession of the private key corresponding to the server's public SSL certificate can also do plenty of other bad things like man-in-the-middle attacks, so to some, worrying about PFS may sound like small potatoes. On the other hand, for many web users, government surveillance amounts to a different—not a lesser—threat. Strong cryptography might be the best safeguard against thieves and scammers, but PFS is the medicine prescribed for state-supported spying.
Forward progress
The good news is that all of the major free software browsers support PFS cipher suites for SSL/TLS, as do the free software web server projects. Among the servers, nginx is configured to prefer PFS cipher suites by default, and configuring the others to negotiate for it is a relatively simple affair.
Of course, Google only switched over to the PFS-enabled cipher suites on its web servers in 2011; any traffic captured before that could still (at least in theory) be decrypted if the right keys were found.
Looking forward, the NSA surveillance revelations have prompted a renewed interest in PFS, so there are a lot of discussions on Stack Exchange and similar forums about how to configure web servers to prefer PFS. The tide may indeed be changing, but some server administrators may be surprised to discover the costs associated with ephemeral key generation. Prior to the NSA story, there were several popular blog posts on the overhead that enabling DHE and ECDHE for SSL/TLS would impose on a web server. In 2011, for example, Vincent Bernat estimated DHE at a 300% performance hit, but ECDHE at only a 15–27% increase.
Whether such an increase in CPU cycles (and, potentially, hosting costs) is worth it is a question only the server owner can answer. As CPUs get faster over time, of course, the bottom-line calculations could change. But PFS is meant to protect the participants in a conversation for a very long time—hypothetically an attacker could store captured traffic forever. And in the very long run, the additional protections of PFS could be worth a high price indeed.
Brief items
Security quotes of the week
Once complete, we will invite public comment on this process. We also will bring in an independent organization to conduct a formal review of our standards development approach and to suggest improvements. Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.
What this really shows is how robust the surveillance state is, and how hard it will be to craft laws reining in the NSA. All the bills being discussed so far only address portions of the problem: specific programs or specific legal justifications. But the NSA's surveillance infrastructure is much more robust than that. It has many ways into our data, and all sorts of tricks to get around the law
New vulnerabilities
GraphicsMagick: denial of service
| Package(s): | GraphicsMagick | CVE #(s): | CVE-2013-4589 | ||||||||||||
| Created: | November 4, 2013 | Updated: | December 1, 2013 | ||||||||||||
| Description: | From the Red Hat bugzilla:
GraphicsMagick, a comprehensive image processing package, is found to have a vulnerability which can be exploited by malicious people to cause a Denial of Service (DoS). The vulnerability is caused due to an error within the "ExportAlphaQuantumType()" function found in magick/export.c when exporting 8-bit RGBA images, which can be exploited to cause a crash. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2013-4470 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 5, 2013 | Updated: | March 28, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Linux kernel built with an Ethernet driver(ex virtio-net) which has UDP Fragmentation Offload(UFO) feature ON is vulnerable to a memory corruption flaw when UDP_CORK socket option is set. It could occur when sending large messages, wherein not all messages are greater than maximum transfer unit(MTU) of the underlying medium. An unprivileged user/program could use this flaw to crash the kernel resulting in DoS, or potentially escalate their privileges on the system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-rt: denial of service
| Package(s): | kernel-rt | CVE #(s): | CVE-2013-4348 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 1, 2013 | Updated: | November 13, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way IP packets with an Internet Header Length (ihl) of zero were processed in the skb_flow_dissect() function in the Linux kernel. A remote attacker could use this flaw to trigger an infinite loop in the kernel, leading to a denial of service. (CVE-2013-4348, Important) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libav: code execution
| Package(s): | libav | CVE #(s): | |||||||||
| Created: | November 4, 2013 | Updated: | November 11, 2013 | ||||||||
| Description: | From the Ubuntu advisory:
It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. | ||||||||||
| Alerts: |
| ||||||||||
lightdm: information leak
| Package(s): | lightdm | CVE #(s): | CVE-2013-4459 | ||||
| Created: | November 6, 2013 | Updated: | November 6, 2013 | ||||
| Description: | From the Ubuntu advisory:
Christian Prim discovered that Light Display Manager incorrectly applied the AppArmor security profile when the Guest account is used. A local attacker could use this issue to possibly gain access to sensitive information. | ||||||
| Alerts: |
| ||||||
mednafen: code execution
| Package(s): | mednafen | CVE #(s): | CVE-2010-3085 | ||||
| Created: | November 4, 2013 | Updated: | November 6, 2013 | ||||
| Description: | From the CVE entry:
The network-play implementation in Mednafen before 0.8.D might allow remote servers to execute arbitrary code via unspecified vectors, related to "stack manipulation" issues. | ||||||
| Alerts: |
| ||||||
phpmyadmin: multiple vulnerabilities
| Package(s): | phpmyadmin | CVE #(s): | CVE-2013-4997 CVE-2013-4999 CVE-2013-5001 | ||||||||||||
| Created: | November 4, 2013 | Updated: | July 30, 2014 | ||||||||||||
| Description: | From the CVE entries:
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. (CVE-2013-4997) phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. (CVE-2013-4999) Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link. (CVE-2013-5001) | ||||||||||||||
| Alerts: |
| ||||||||||||||
python-backports-ssl_match_hostname: invalid hostname matching
| Package(s): | python-backports-ssl_match_hostname | CVE #(s): | |||||||||
| Created: | November 5, 2013 | Updated: | November 6, 2013 | ||||||||
| Description: | From the Python advisory:
Ryan Sleevi of the Google Chrome Security Team has informed us about another issue that is caused by our failure to implement RFC 6125 wildcard matching rules. RFC 6125 allows only one wildcard in the left-most fragment of a hostname. For security reasons matching rules like *.*.com should be not supported. For wildcards in internationalized domain names I have followed the piece of advice "In the face of ambiguity, refuse the temptation to guess.". A substring wildcard does no longer match an IDN A-label fragment. '*' still matches a full punycode fragment but 'x*' no longer matches 'xn--foo'. | ||||||||||
| Alerts: |
| ||||||||||
strongswan: multiple vulnerabilities
| Package(s): | strongswan | CVE #(s): | CVE-2013-6075 | ||||||||||||||||||||
| Created: | November 1, 2013 | Updated: | January 27, 2014 | ||||||||||||||||||||
| Description: | From the Debian advisory: A vulnerability has been found in the ASN.1 parser of strongSwan, an IKE daemon used to establish IPsec protected links. By sending a crafted ID_DER_ASN1_DN ID payload to a vulnerable pluto or charon daemon, a malicious remote user can provoke a denial of service (daemon crash) or an authorization bypass (impersonating a different user, potentially acquiring VPN permissions she doesn't have). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
tryton-client: unintended file access
| Package(s): | tryton-client | CVE #(s): | |||||
| Created: | November 4, 2013 | Updated: | November 6, 2013 | ||||
| Description: | From the Debian advisory:
Cedric Krier discovered that the Tryton client does not sanitize the file extension supplied by the server when processing reports. As a result, a malicious server could send a report with a crafted file extension that causes the client to write any local file to which the user running the client has write access. | ||||||
| Alerts: |
| ||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2013-6336 CVE-2013-6337 CVE-2013-6338 CVE-2013-6340 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 5, 2013 | Updated: | November 11, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Multiple vulnerabilities were discovered in the dissectors for IEEE 802.15.4, NBAP, SIP and TCP, which could result in denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>