Link

19 Year-Old Vulnerability Continues to Haunt the Internet

Via Ars Technical:

A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.

The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com.

Companies that are responsible for providing critical infrastructure technologies need to be accountable for what they develop and sell. Imagine if a car company with a known-deficient vehicle refused to fix or repair it on the basis they didn’t support it any longer – there’d be class action suits almost immediately. The technology sector need to mature, and fast.

But as an aside, these are the sorts of weaknesses and vulnerabilities that the NSA and other national security agencies, along with private signals intelligence vendors, actively exploit. The actual ways in which cryptography is implemented are often rife with issues. One has to ask why Cisco and other major companies’ products were vulnerable in the first place but, also, whether the NSA or its sister agencies knew about the weaknesses and have been exploiting them instead of trying to better secure the public’s communications.

In theory the United States of America’s government, as well as the Canadian government, has a Vulnerabilities Equities Process (VEP). If this vulnerability was discovered but not disclosed it would be a damning indictment of the adequacy of the current VEP protocols.

Quote

The report finds plenty of blame to go around. The ultimate cause of the fiasco, it says, was the fact the grant implementers did not conduct a capacity or use study before spending $24 million. They also used a “legally unauthorized purchasing process” to buy the routers, which resulted in only modest competition for the bid. Finally, Cisco is accused of knowingly selling the state larger routers than it needed and of showing a “wanton indifference to the interests of the public.”

Getting any of the money back seems unlikely at this point, but the legislative auditor does have one solid recommendation to make. The State Purchasing division should determine whether Cisco’s actions in this matter fall afoul of section 5A-3-33d of the West Virginia Code, and whether the company should be barred from bidding on future projects.

Cisco tells Ars “the criticism of the State is misplaced and fails to recognize the forward-looking nature of their vision. The positive impact of broadband infrastructure on education, job creation, and economic development is well established, and we are committed to working with the State to realize these benefits for the people of West Virginia now and into the future.”

As for that $5+ million the state could have saved—it would have paid for 104 additional miles of fiber.