Security Basics mailing list archives

Re: SSL and TCP RST/SYN attack

From: Radmilo Racic <rracic () gmail com>
Date: Wed, 23 Sep 2009 09:02:47 -0700

David,
what you describe is a MITM attack on TCP not SSL. Sending fake TCP
RST packets is not trivial as one would have to guess the sequence
number (a number between 1 and 2^32-1) correctly. Granted, given a
fixed TCP window size you only need to guess a number that falls
within the window range (total of 2^32 / window_size guesses). Sending
TCP SYN is similar but it closes the local end of the connection.
There are various ways to defend against the DoS attacks on TCP. I
would encourage you to look into the OpenBSD solution and/or some
academic/theory-based approaches.

Either way, it would be incorrect to state that is an intrinsic
vulnerability in SSL.

Cheers,
-- Radmilo

On Sun, Sep 20, 2009 at 9:29 AM, David Zhang <david.zhang1965 () gmail com> wrote:


Hi all:
I would like to ask a question about SSL. Consider the situation that
a man in the middle. Because he can always fake TCP RST/SYN packet, so
he can always block the client to get service from the https server.

So can I say that this is an intrinsic vulnerable in SSL, as
considering the situation that the attacker is in the same LAN with
the client, the attacker can always block the client to reach his
server (say on-line banking)?

Thanks
David

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

SSL and TCP RST/SYN attack David Zhang (Sep 23)
- Re: SSL and TCP RST/SYN attack Shreyas Zare (Sep 28)
- Re: SSL and TCP RST/SYN attack Radmilo Racic (Sep 28)
- Re: SSL and TCP RST/SYN attack Fabien Vincent (Sep 28)
- RE: SSL and TCP RST/SYN attack David Gillett (Sep 28)
- RE: SSL and TCP RST/SYN attack Ben Eisel (Sep 28)