[tor-talk] Yet another OpenSSL vulnerability

Nick Mathewson nickm at freehaven.net
Thu Jun 5 16:34:18 UTC 2014


Hi, all!

There's another OpenSSL vulnerabilty.  This one is less terrible
than heartbleed, but it's still quite bad.  People have taken to
calling it the "EarlyCCS" attack: it will probably get less media
attention than heartbleed because its name is insufficiently scary.

The impact on Tor is that an adversary in the position to run a MITM
attack on a Tor client or relay could cause a TLS connection to be
negotiated without real encryption or authentication.

This attack is possible if the connection initiator (client or
relay) is running an unpatched OpenSSL, and if the relay is running
an unpatched OpenSSL 1.0.1.  If either party has upgraded, or if the
relay is running a version before 1.0.1, the attack fails.

The circuit-layer crypto (which happens under the TLS layer) should
still provide significant protection for user communications over
Tor.  But a MITM attack of this kind could still help traffic
analysis, and likely other unexpected badness as well.

Because of this, I'd strongly recommend that everybody should
upgrade. If you're using Tor packages from our website, please
update to the latest versions as soon as they're available; I hope
that will be very soon.  If your Tor is built against an OpenSSL
provided by your operating system distribution, please install the
vendor updates as soon as they're available.

Here's the official OpenSSL security advisory:

  https://www.openssl.org/news/secadv_20140605.txt

Here's a good write-up by Adam Langley, explaining this bug in detail:

  https://www.imperialviolet.org/2014/06/05/earlyccs.html

Here's a post from the original discoverer of the bug.

  http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html

And here's the vulnerability's website (since all vulnerabilities
have a website), complete with scary logo:

  http://ccsinjection.lepidum.co.jp/

(As a side-note, you should also be concerned about OpenSSL-based
applications that you're using that _aren't_ Tor.  Tor is
comparatively resilient to having one layer of crypto removed; but
most protocols aren't.  Fortunately, Firefox/TorBrowser is using NSS
for its TLS crypto.)

(As a final side-note: today's OpenSSL releases fix some other bugs
too.  If you run other programs that use OpenSSL -- particularly
ones that do DTLS -- you should upgrade for that reason too.)

cheers,
-- 
Nick


More information about the tor-talk mailing list