Researchers have discovered an incorrect implementation of SSL encryption that allows for an attack on a huge number of applications and services provided by PayPal, Amazon, Microsoft, Google, Yahoo.
A team of researchers from the University of Texas at Austin and Stanford published a study of reliability mechanisms Validation SSL certificates in “non-browser” software platforms on Linux, Windows, Android and iOS. The subject of the study were the validation SSL implementations in various software and API, based on it. The vector operation was chosen type of attack is the “man in the middle” (MitM).
The main objective of SSL – is to provide mechanisms to protect the end user from the attack of the “man in the middle”. Even if the network is fully compromised: poisoned DNS cache servers, access points, routers, etc. are controlled by an attacker – SSL is required to ensure the confidentiality, authenticity and integrity of data between the client and the server.
The study showed that the software and libraries of various major manufacturers contain gaps to successfully perform the attack. In the list of software that uses a vulnerable implementation of SSL, are popular programs from manufacturers, the priority of which consists in providing reliable encryption mechanisms for transmission of critical data storage and software for the implementation of cloud computing, for example, Amazon EC2 Java client library and all clients based on this library; software-based SDK from Amazon and PayPal (Amazon Flexible Payments Service version for Java and PHP, PayPal Payments Standard and PayPal Invoicing, PayPal Payments Pro, Mass Pay and Transactional Information SOAP), unit used to implementation of the Transaction, integrated solutions for online stores, such as osCommerce, ZenCart, Ubercart and PrestaShop; software for mobile applications AdMob; Apache Axis, Axis 2, Codehaus XFire and Pusher library for Android; popular IM client Trillian.
The main cause of the possibility of such an attack is invalid API design in implementing SSL (in the case of JSSE, OpenSSL and GnuTLS), as well as transport library (for example, cURL), that involve multiple settings and options, are not always clear to the developers.
For example, incorrectly implemented, the researchers show a gap in PHP-version of the library Amazon Flexible Payments Service. The application tries to include functional SSL certificate authentication by setting CURLOPT_SSL_VERIFYHOST to true for cURL. Unfortunately, the correct value for the operation of the verification should be 2, and the installation option to true is interpreted as 1, which disables the authentication certificate.
Details of the results of the study can be found here.