Division by Zero Day

Yes, it’s a vaguely IT-related post, just for a change.

A few days ago, there was a flurry of interest the LinkedIn issue raised by Zimperium with potential Man In The Middle attacks (somehow, this always makes me think of Rob Brydon) using SSL-stripping.

I must admit, I was somewhat irritated by the very trivial issue of the misuse of the term zero-day vulnerability. If Zimperium has notified LinkedIn six times about the issue, I don’t think it can be described as a zero-day vulnerability, since it’s known to the provider. Unless the notifications have been disappearing into a black hole somewhere, but Zimperium’s blog indicates that LinkedIn acknowledged to them last year that the issue existed. And in fact, SSL-stripping has been a known attack for quite a few years. As far as I can see, it isn’t a vulnerability at all in terms of the SSL trust model: it’s an implementation issue.

HTTPS is essentially HTTP with a supervening layer of SSL/TLS. While Zimperium’s blog doesn’t describe a specific vulnerability, what it refers to as SSL-stripping involves intercepting transactions between the victim and the server and replacing https requests with http. If SSL is used throughout the site, though, it should fail with a ‘connection refused’ message unless the attacker is using other tools that directly attack the underlying trust model and the way certificates are checked. HSTS (HTTP Strict Transport Security) helps by telling the browser that only HTTPS connections are allowed, but the HSTS header can be stripped in some scenarios.

There are a couple of measures (as described by Zimperium) that the consumer can take right now: turn on HTTPS for all LinkedIn transactions in Account/Security Settings, and always log in to https://www.linkedin.com, not http://www.linkedin.com.

Of course, there may be other issues that Zimperium’s blog doesn’t mention, and I’m not familiar with their pen-test toolkit, so can’t comment on the details of their findings.

David Harley
Small Blue-Green World




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.