The SSL and TLS security protocols have been designed and implemented to provide end-to-end data security. This includes data integrity that is the data cannot be modified, replayed or reordered by an attacker without being detected at the receiving endpoint. SSL and TLS however does not provide data delivery integrity, in the sense they do not guarantee that all the sent data will actually arrive at the other side. This is because, for example, SSL/TLS cannot know in advance which is the exact size of the data to be sent over the secured channel. The mosts recent versions (SSLv3 and TLSv1) provide some form of protection against loss of data records by means of sequence numbers and specialized close notify alert messages to be sent when tearing down the SSL connection. Unfortunately, this is not enough when the last record containing application data together with the closure alert are deleted on purpose, as it happens in the truncation attacks. SSLv3/TLSv1 specifications do not indicate what should happen (at the application level) if the close notify message never arrives at the receiver. Consequently, for applications where it is important to ascertain that the data reached untruncated the other party, it is required to have an additional control at the application level.
In this paper we show (based on practical tests) that some widely-used applications implementing SSLv3 and TLSv1 do not perform further controls on the size of the data to be received, and thus they are vulnerable to truncation attacks. For tests we implemented a specialized MITMSSL tool, used to manipulate the SSL/TLS records exchanged between two communicating parties.
[1]
Stephen A. Thomas.
SSL and TLS Essentials: Securing the Web with CD-ROM
,
2000
.
[2]
David Brumley,et al.
Remote timing attacks are practical
,
2003,
Comput. Networks.
[3]
Rolf Oppliger,et al.
Security Technologies for the World Wide Web
,
2000
.
[4]
Serge Vaudenay,et al.
Password Interception in a SSL/TLS Channel
,
2003,
CRYPTO.
[5]
Eric Rescorla,et al.
The Design and Implementation of Datagram TLS
,
2004,
NDSS.
[6]
Tim Dierks,et al.
The Transport Layer Security (TLS) Protocol Version 1.2
,
2008
.
[7]
Christopher Allen,et al.
The TLS Protocol Version 1.0
,
1999,
RFC.
[8]
Robert W. Shirey,et al.
Internet Security Glossary
,
2000,
RFC.
[9]
Bruce Schneier,et al.
Analysis of the SSL 3.0 protocol
,
1996
.
[10]
Dan Boneh,et al.
Advances in Cryptology - CRYPTO 2003
,
2003,
Lecture Notes in Computer Science.
[11]
Aggelos Kiayias,et al.
Traitor Tracing with Constant Transmission Rate
,
2002,
EUROCRYPT.
[12]
Rolf Oppliger,et al.
SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle
,
2006,
Comput. Commun..
[13]
Serge Vaudenay,et al.
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS
,
2002,
EUROCRYPT.