Security @ Opera

Recently, news of a SVG-related vulnerability has been circulating on the net, along with claims that Opera had "decided not to fix it".

At Opera, we take security very seriously, and you can be sure that we would not choose to ignore exploitable security vulnerabilities.

With our release today of Opera 11.52, we now have a fix available for this issue, but we want to shed more light onto what happened, as well as explain why we both ask for - and practice - responsible disclosure.

Read more...

Certificate Authorities (CAs) have a lot of responsibility, they are in charge of ensuring who can present their site as secure and verified, which they do by issuing certificates to trusted site owners. There are hundreds of CAs around the world, and it will inevitably happen that some of them issue a certificate incorrectly, either by mistake or by hacking. The certificate system is built to tackle this, by having a built-in revocation system. CAs add a revocation URL¹ to all certificates, and when a browser encounters such a certificate, the browser will check with that URL if the certificate is still valid. This allows CAs to immediately cancel any misissued or fraudulent certificates.

If a browser gets a negative response when checking the revocation URL, the browser will warn the user, and refuse to load the page. However, in most cases where an attacker is trying to spoof another server, the attacker is in full control of the network, so as to direct users to his own server. It is then easy for the attacker to additionally block the revocation URL. Some browsers will present a site as secure if the revocation URL is blocked,
Opera's address barwhich allows for abusing even a revoked certificate. Opera will downgrade the security level of the site to the same as any other regular web page in such unverified cases, which means that once a certificate is revoked by the issuer, it cannot be abused in Opera, even if the revocation URL is blocked. The most an attacker can do, is the same as he could without a certificate.

Browsers that do not have protection against blocked revocation lists will need to rapidly issue an update to fix any new certificate abuse. In Opera, users are protected automatically when the certificate is revoked. If the CA has a general problem, or a CA is no longer being used, we can remove it from our list of trusted CAs behind the scenes, and the user will also be secure, without needing to change anything in her browser.

You may well encounter reports in the media about fraudulent certificates. But rest assured that Opera takes care of these for you. Our advice is that as long as you are using Opera, pay attention to the address bar badge, and you will still be secure.

¹ Edit: Technically there are two such URLs, but this post treats them both as one.

Edit 2: Regarding specific incidents with DigiNotar, please see this blogpost on rootstore.

Edit 3: Further actions regarding DigiNotar have been deployed, please see the announcement on the rootstore home page.

We have written several articles^1,2,3,4 about the results provided by the TLS Prober, and occasionally provided information about specific tests it performs. In this article we will provide more details about what tests are performed.

For new readers, the TLS Prober was created to monitor the patching of the TLS Renego Security Vulnerability, CVE-2009-3555, possibly the most severe vulnerability to affect the SSL/TLS protocol. It allows a Man In the Middle attacker to, for example, inject HTTP requests into the beginning of a user's connection with a vulnerable server and have them performed with the user's credentials (A Proof of Concept demonstration in November 2009 posted the victim's Twitter username and password to their Twitter stream).

To fix this problem, all SSL/TLS clients and servers must be updated to support a new TLS Extension, the Renegotiation Information Extension, documented in RFC 5746. However, before clients can start to become strict about this extension, and thus protect our mutual users against this attack, as many servers as possible need to be patched.

The TLS Prober is one of the projects that is used to monitor this situation. Another project is Ivan Ristic's SSLLabs project, and it is possible that Netcraft has added such testing to their survey.

In addition to monitoring the "Renego" issue, the Prober also tests servers for a number of other capabilities and problems, which can aid the SSL/TLS client vendors in deciding which functionality to support, or which problems to be aware of when maintaining their implementations.

The TLS Prober consists of a group of computers that connect to the Internet via the hostname "tls-testing.opera.opera.com" (213.236.208.19, formerly known as "probes.opera.com").

When running a test these computers run many scripts in parallel, each testing a different secure server, then registering the results in a database.

As mentioned previously, the TLS Prober is based on TLSLite, a Python-based TLS implementation, which has been updated with extra TLS functionality and instrumented to test a number of variants that we have observed in clients and servers.

The weekly run of the TLS Prober is normally performed Monday and Tuesday each week, although the TLS Prober might be configured to run special tests at other times as well.

When probing a server (a single IP address and port is only tested once, even if it has several names), the following tests are performed:

Capability checks:

• SSL v2
• SSL v3
• TLS 1.0
• TLS 1.1
• TLS 1.2
• General support for TLS Extensions (such as Server Name Indication,
  Certificate Status)
• Support for the TLS Renegotiation Indication Extension
• Support for the TLS Session Ticket Extensions
• TLS Session Resumption? (Not having this enabled can cause performance issues for the server)
• Trigger TLS connection renegotiation? (Might indicate a security vulnerability)
• Accept TLS connection renegotiation triggered by the client? (Might indicate a security vulnerability)
• Support of various encryption methods, some of which are weak, and
  therefore could be a security problem.

Checks for correct handling

• Tolerates TLS 1.3? (This is a, currently, non-existent version of TLS, version code 3.4, but next on the list. Not accepting this is astandards violation)
• Tolerates TLS NG.1? (non-existent version, with version code 4.1, not accepting this is a standards violation)
• Uses correct version field in the Client Hello message (some servers
  use the wrong field)
• Does not require one version field in the Client Hello to contain
  specific values before accepting the other.
• Does the server handle the version field in the RSA Client Key exchange correctly?
• Does the server accept that the client sends extra long padding
  in the block cipher modes? The encrypted record must be a multiple of 8 or 16 (depending on encryption method), so it must be padded with anything from 0 to 255 bytes, as long as the total length is a multiple of the block length (8 or 16 bytes).
• Correct handling of bad data in the Renego extension?

A number of these are tested in various combinations, some enabled, others not.

In most cases, once the TLS connection has been successfully established, the Prober will shut it down; only in a few tests will it send a limited request to the server. Some tests use functionality that is not supported by TLSLite, such as the large number of encryption methods it tests for, and in such cases the Prober will shut down the connection as soon as it has all the necessary information, since it cannot complete the full handshake.

The number of tests can range from about 60 to upwards of a couple of hundred, performed one at a time, depending on the capabilities of the server, and how many problems are encountered. If a connection fails, the Prober will retry a couple of times to make sure it was a test failure,
and not something unrelated that caused the connection to be closed. The whole process can take a few minutes depending on network speed and response times.

Additionally the Prober collects data about:

• Name and version of server software, if provided. For a HTTPS site
  this is done by sending a HTTP HEAD request for https://www.example.com/, an action that limits the load on the server, and avoids sending unnecessary data to the Prober since the response is only the HTTP headers, not content. For mail servers the first "hello" line from the server is registered, although it is not a reliable indication of vendor and version.
• Certificates presented by the server
• OCSP Certificate status from extension
• Length of temporary Diffie-Hellman key (DHE-key)

At present the TLS Prober supports the following application protocols:

• HTTPS
• IMAP
• POP
• SMTP

In addition to the Prober, the system also has a scanning functionality that can check various domains (either by name or IP address range) for servers on specific hostnames and ports. This scanner will only do a quick test to see if there is something that looks like a SSL/TLS server on the tested port, and if so, registers it for a full test with the Prober once the scanner has completed its run.

A few system administrators have asked about what tls-testing.opera.com/probes.opera.com does, and we hope the above description satisfies those who wonder about what goes on, and that they have been assured that the Prober is only testing legitimate, or almost legitimate, variations of the TLS protocol, and is not trying to break into, or damage, their servers.

If your server is among those being tested, thank you for your participation (and another thank you if you have patched the Renego issue).

In the year or so we have been running the TLS Prober we have steadily expanded which tests are performed¹, in addition to the checks for support of the TLS Renego patch. Thus, we have added tests for various standard compliance problems, for example.

Most recently, we added tests for TLS connection renegotiation, a test that has been delayed due to the significant changes that were needed in the TLS client implementation source. Renegotiation is used to change the encryption keys for the connection in midflight. This is the functionality that had the error that caused the Rengo Indication Extension patch to be necessary. Renegotiation can be used to add more confidentiality to the handshake, and many use this functionality when requesting Client Certificate authentication, in part to protect the user's identity.

Last week, we also added a lot of new hostnames to the list of servers (and more are being planned), by testing about 200 different hostnames for each domain in the Alexa top million list. The result was a 10-fold increase in number of names (from 2 million to 23 million, though it only resulted in a 50% increase in the number of unique servers (~380000 to ~590000), due to the number of IP addresses having multiple names assigned to them. Given the size of the list, I am considering running it only every month or so.

The current numbers indicate the following:

• 28.1% of probed servers perform renegotiation.
• 0.2% of servers requested renegotiation during the simple tests we perform.
• This means that 27.9% of servers accept client-initiated renegotiation.

On their own, these numbers might not look that bad, but it gets worse once you look at these numbers in association with other information about these servers.

That 27.9% of servers accept renegotiation indicate a significant problem, since most of these sites do not need renegotiation, particularly not the client-initiated variant (no major browser client actually supports it). Part of the reason for the number of servers is that accepting renegotiation has been enabled in OpenSSL, and probably other SSL/TLS implementations, by default until the Renego problem was discovered, and Apache servers make up about 70% of the affected servers, but Microsoft IIS is registered for about 10% of the sites (but for both a front-end server may be handling the actual SSL/TLS connections).

Looking specifically at which of these servers are Renego patched, and which aren't, a really problematic pattern emerges: Only 0.5% of the sites allowing client-initiated renegotiation are Renego patched, 99.5% are NOT patched (for server-initiated renegotiation 71% of the servers are patched).

This is bad news, because it means that these 27.9% of all the tested servers are vulnerable to the full HTTP injection Renego attack, meaning that somebody could be manipulating what requests are sent to the unpatched "secure" website server you are visiting, and there is no direct way to tell if it is happening.

When you combine this with the fact that 45.7% of all servers are unpatched, you get an even more problematic number: Of the unpatched servers, 61% are vulnerable to the Renego attack. That is, roughly, only 2 of 5 (a bit more than 1 of every 3) unpatched sites are *apparently* safe from the attack. However, since the site could still perform renegotiation under very specific preconditions we are not able to use, we have no way to know for certain.

I do not know whether anyone has actually used this attack mode, short of the first Proof of Concept announcements, I have noticed no reports about it being used. While it is relatively easy to execute, it does require a bit of preparations, particularly being able to intercept the client's connection. My guess is that, if such attacks have been performed, they have been mistakenly been thought to be the result of phishing, rather than an injection attack. If the attack isn't used, it is probably because standard phishing and malware tactics work equally well, or better.

However, that an attack vector is (apparently) not used, does not mean that it is safe to leave it in place, particularly when the problem is so easy to detect, and to fix.

Then, there is what Ivan Ristic noticed about a month ago when he was running a new survey: there were fewer patched websites when their Alexa rank was higher, than when it was further down on the list. A check of our own numbers confirmed this: in parts of the Alexa top 1000 as few as 20% of the servers are Renego patched, and, in fact, even including the whole list of Alexa ranked sites we are testing, the coverage never exceeds the overall patch coverage in the set. This means that less popular sites must have a significantly higher patch coverage than popular sites, since the non-Alexa sites in the list are about 25% of the test set. If there should have been a difference between these groups, the percentages should, by rights, be the other way around; popular sites should have a much higher patch rate than less popular sites.

When checking this, and correlating to the servers accepting renegotiation, in parts of the Alexa list as many as 80% of the unpatched, high ranking servers accepts renegotiation and are vulnerable to the injection attack!

Lastly, there are the sites with Extended Validation certificates. Those ought to have their server properly patched, right? Wrong! Unfortunately. While 54% of all tested servers have been patched, only 50% of tested EV sites have been patched; that is, the patch coverage is about 90% of the general coverage. For the most part we see the same pattern for high-ranking sites as mentioned above, except that among the top 100 sites, the patch coverage is significantly higher than the general coverage in that segment, although far below the overall patch coverage.



While some high-ranking sites, most notably Google, have patched their servers, a large number have not, Facebook, Yahoo!, and Amazon are foremost among those that haven't patched.

Among the unpatched sites, Facebook and Amazon are playing it (relatively) safe, but we can unfortunately currently count Yahoo and many other popular sites as vulnerable. Although at least one major site has protected its main entry sites against the vulnerability, they haven't patched the problem, and other servers on the site were vulnerable.



These numbers definitely make me consider whether browsers should remove the EV indication, disable the padlock for Renego unpatched sites, or turn on the security warning, despite the fact that doing so would cause trouble for almost half the most popular websites. Unfortunately, at present, this is something that probably require coordinating with the other browsers.

A problem with this is that I believe a number of SSL accelerator companies still haven't released fixes; the latest news from one is that the patch will be released in June, which is not a moment too soon, if you ask me.

However, if you as a user want to get more visible indications about unpatched sites than the one in the Security Information dialog available from the security indicator, in Opera you can get this by updating the opera:config#SecurityPrefs|CryptoMethodOverrides preference with a sum of your selection of the following:

• 128: Disable EV for unpatched sites
• 1024: Disable padlock/secure indication for unpatched sites (implies Disable EV)
• 256: Warn about unpatched sites (implies disable EV)
• 2048: Disable support for server initiated renegotiation if the server is not renego patched. This protect against attacks that target the client (which is not that different from other MITM attacks), but may cause connections to hang or end with an error on unpatched sites that apparently require this functionality (about 0.1% of probed sites).

Keep in mind that this preference will get overwritten once the browsers start taking broader action against theses sites.

At present, I am not planning to publish the list of servers, but we have shared the current list of 193000 unpatched servers (of 267000) with the CAs that are members of the CA/Browser forum, including whether the site in question is vulnerable to the injection attack.

As for the websites: Facebook, Yahoo!, Amazon, and the rest, it is time to get down from the patch fence!