TLS Man-in-the-Middle Attack Disclosed Yesterday Solved Today with Network-Side Scripting

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

TLS Man-in-the-Middle Attack Disclosed Yesterday Solved Today with Network-Side Scripting

posted on Friday, November 06, 2009 12:30 PM

Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.

Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.

No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability he crafted a solution.

Colin documents the iRule that addresses this vulnerability in his 20LoL post for the week, and so I won’t repost the code. You can also view the forum thread [registration required] in which “Lupo” describes and discusses the solution.

What I love about this solution is not necessarily that it solves a particular vulnerability. That’s awesome, of course, and a great thing but in the coming weeks and months we’ll see a lot of solutions that address this particular vulnerability. What I really love about this solution is the speed with which it was implemented. The vulnerability was disclosed yesterday and Lupo had a solution today, which he generously shared with thousands of others who can immediately put into use the same solution.

A lot of folks talk about agility and how solution X or Y enables organizations to respond rapidly to changing market/business conditions, but rarely do you see as solid an example as this one. From disclosure to solution in one day. That’s agility in action.

UPDATE (12/09/2009): The code referenced in Colin's post and the forums contains a "TCP::close" near the end of the iRule. Based on implementations this needs to be changed to be simply "reject" to avoid causing a problem with core processing.

Technorati Tags: MacVittie,F5,application security,security,TLS,SSL,man in the middle,marsh ray,vulnerability,network-side scripting,iRules,solution

Related blogs & articles:

Feedback

11/6/2009 12:35 PM
		I would have included a "See? I told you so..." considering your very timely post on WHEN being more important than WHERE: devcentral.f5.com/.../...application-security.aspx
Jason Rahm

11/10/2009 11:01 AM
		This post was mentioned on Twitter by lmacvittie: New post: TLS Man-in-the-Middle Attack Disclosed Yesterday Solved Today with Network-Side Scripting: Yesterday the b... http://bit.ly/44dwg8
uberVU - social comments

11/10/2009 11:12 AM
		We have SSL certificate configured for our clients on BigIP. Could you please let me know if we are exposed to this vulnerability. We currently are not running any iRules, do we need to run the rules and if yes, can I please get an example? thanks Nadeem
Nadeem

11/10/2009 11:17 AM
		@Nadeem My understanding of the SSL/TLS MiTM attack is that it is specific to the protocol, not a product, and thus any implementation of SSL is suspect. Whether or not you should be running the iRule is really based on how much risk you are willing to accept. If you have a low-tolerance for risk and prefer a "better safe than sorry" approah, the iRule offered by Lupo is documented here by DC iRules Guru Colin Walker: devcentral.f5.com/.../...ng-header-re-writing.aspx If you have questions/need assistance with implementing the iRule please log in to the forums and join this thread: devcentral.f5.com/Default.aspx
Lori MacVittie

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 8 and 3 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		617		Comments		1136
Stories		0		Trackbacks		328

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		WILS
		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization

Archives

		February, 2010 (7)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use