This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Why Didn't We Spot That?
January/February 2010 (vol. 14 no. 1)
pp. 84-87
Stephen Farrell, Trinity College Dublin
Recently, a previously unknown, and not particularly complex, man-in-the-middle attack appeared, affecting all versions of the Transport Layer Security (TLS) protocol. TLS and its predecessors have been in widespread use for more than a decade and have been subject to detailed scrutiny from the security community over that period. Because TLS was also developed in a very open environment (the IETF), as is usually recommended by security professionals, the question arises: Why didn't we spot this sooner? In this article, the author outlines the new attack and ponders this question.

1. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol, Version 1.2," IETF RFC 5246, Aug. 2008; www.ietf.org/rfcrfc2246.txt.
2. M. Ray and S. Dispensa, Renegotiating TLS, tech. report, Nov. 2009; http://extendedsubset.comRenegotiating_TLS.pdf .
3. E. Rescorla et al., "Transport Layer Security (TLS) Renegotiation Indication Extension," IETF Internet draft, work in progress, Nov. 2009.
4. L.C. Paulson, "Inductive Analysis of the Internet Protocol TLS," ACM Trans. Information Systems Security, vol. 2, no. 3, 1999, pp. 332–351.
5. S. Gajek et al., "Universally Composable Security Analysis of TLS," Proc. 2nd Int'l Conf. Provable Security, J. Baek et al., eds., LNCS 5324, Springer-Verlag, 2008, pp. 313–327.

Index Terms:
man-in-the-middle, TLS, SSL, security protocol development, practical security
Citation:
Stephen Farrell, "Why Didn't We Spot That?," IEEE Internet Computing, vol. 14, no. 1, pp. 84-87, Jan.-Feb. 2010, doi:10.1109/MIC.2010.21
Usage of this product signifies your acceptance of the Terms of Use.