Why Didn't We Spot That?

Internet Computing
2010
Issue No. 1 - January/February
Abstract - Why Didn't We Spot That?

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Stephen Farrell

Why Didn't We Spot That?

January/February 2010 (vol. 14 no. 1)

pp. 84-87

	ASCII Text	x
	Stephen Farrell, "Why Didn't We Spot That?," IEEE Internet Computing, vol. 14, no. 1, pp. 84-87, January/February, 2010.

	BibTex	x
	@article{ 10.1109/MIC.2010.21, author = {Stephen Farrell}, title = {Why Didn't We Spot That?}, journal ={IEEE Internet Computing}, volume = {14}, number = {1}, issn = {1089-7801}, year = {2010}, pages = {84-87}, doi = {http://doi.ieeecomputersociety.org/10.1109/MIC.2010.21}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Internet Computing TI - Why Didn't We Spot That? IS - 1 SN - 1089-7801 SP84 EP87 EPD - 84-87 A1 - Stephen Farrell, PY - 2010 KW - man-in-the-middle KW - TLS KW - SSL KW - security protocol development KW - practical security VL - 14 JA - IEEE Internet Computing ER -

Stephen Farrell, Trinity College Dublin

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MIC.2010.21

Recently, a previously unknown, and not particularly complex, man-in-the-middle attack appeared, affecting all versions of the Transport Layer Security (TLS) protocol. TLS and its predecessors have been in widespread use for more than a decade and have been subject to detailed scrutiny from the security community over that period. Because TLS was also developed in a very open environment (the IETF), as is usually recommended by security professionals, the question arises: Why didn't we spot this sooner? In this article, the author outlines the new attack and ponders this question.

1. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol, Version 1.2," IETF RFC 5246, Aug. 2008; www.ietf.org/rfcrfc2246.txt.
2. M. Ray and S. Dispensa, Renegotiating TLS, tech. report, Nov. 2009; http://extendedsubset.comRenegotiating_TLS.pdf .
3. E. Rescorla et al., "Transport Layer Security (TLS) Renegotiation Indication Extension," IETF Internet draft, work in progress, Nov. 2009.
4. L.C. Paulson, "Inductive Analysis of the Internet Protocol TLS," ACM Trans. Information Systems Security, vol. 2, no. 3, 1999, pp. 332–351.
5. S. Gajek et al., "Universally Composable Security Analysis of TLS," Proc. 2nd Int'l Conf. Provable Security, J. Baek et al., eds., LNCS 5324, Springer-Verlag, 2008, pp. 313–327.

Index Terms:

man-in-the-middle, TLS, SSL, security protocol development, practical security

Citation:

Stephen Farrell, "Why Didn't We Spot That?," IEEE Internet Computing, vol. 14, no. 1, pp. 84-87, Jan.-Feb. 2010, doi:10.1109/MIC.2010.21

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.

Print and Online Advertising Opportunities