zlacker

[parent] [thread] 17 comments
1. codero+(OP)[view] [source] 2017-02-28 01:47:50
Rejecting anything it doesn't understand sounds like a bug to me. If it sees that it's TLS, it should attempt a protocol downgrade. There's absolutely no reason for this to break, as TLS 1.3 exists alongside TLS 1.2 (For now).
replies(5): >>ehsank+k >>234dd5+u5 >>userbi+w7 >>jlgadd+Sj >>skywho+3M
2. ehsank+k[view] [source] 2017-02-28 01:52:24
>>codero+(OP)
The surprising part (or maybe not) is that BlueCoat had been made aware of this change months ago and never got around properly testing it. This one of the softwares main purpose, and the fact that they didn't even make sure it works on the newest Chrome, leading to such a mess, is pretty sad.
replies(1): >>nikanj+So
3. 234dd5+u5[view] [source] 2017-02-28 03:02:51
>>codero+(OP)
It's a security feature, often malware will send encrypted traffic over 443 in an attempt to bypass firewalls. If BlueCoat can't understand the traffic, it drops it as it assumes it's malicious.
replies(2): >>theamk+t8 >>jarym+dt
4. userbi+w7[view] [source] 2017-02-28 03:30:01
>>codero+(OP)
Rejecting anything it doesn't understand sounds like a bug to me.

It sounds like a perfectly reasonable behaviour if the goal is to "fail closed", to provide more security in a fashion similar to a whitelist.

If it sees that it's TLS, it should attempt a protocol downgrade.

I don't remember the exact details but I recall reading that TLS has a mechanism to prevent version downgrades, precisely to defend against such "attacks", so the connection would not succeed in that case either.

replies(4): >>codero+C8 >>ademar+d9 >>tbrowb+wc >>deatha+jl
◧◩
5. theamk+t8[view] [source] [discussion] 2017-02-28 03:43:09
>>234dd5+u5
But the traffic is totally understandable -- the right action does not require knowing what TLS 1.3 is.

The way it is supposed to work is as following: there is a protocol negotiation when the connection is established (which is obviously unencrypted), which contains TLS version supported. If MITM proxy does not understand the version, it can just change these bytes to force hosts to negotiate at a lower version.

So the only reason BlueCoat fails is because the authors failed to implement force version downgrade.

◧◩
6. codero+C8[view] [source] [discussion] 2017-02-28 03:45:43
>>userbi+w7
Client and Server exchange a list of capabilities at the beginning of a TLS connection, if the proxy just filters out the protocols/versions it doesn't understand, server/client will agree on a different version (like 1.2).
◧◩
7. ademar+d9[view] [source] [discussion] 2017-02-28 03:53:38
>>userbi+w7
> It sounds like a perfectly reasonable behaviour if the goal is to "fail closed", to provide more security in a fashion similar to a whitelist.

This reminds me of firewalls that weaken security by filtering unrecognized HTTP headers: https://news.ycombinator.com/item?id=12655180

◧◩
8. tbrowb+wc[view] [source] [discussion] 2017-02-28 04:35:27
>>userbi+w7
The TLS negotiation is mutual. Both endpoints tell each other what they support and they agree on a protocol that's mutually supported.

If merely advertising 1.3 while still advertising older versions causes blue coat to break, it has a bug in TLS version negotiation.

There is no downgrade or whitelist or failing closed. Each end says what they support and BlueCoat blows up the connection if it sees that the other end supports a newer version. It should say "oh we both support 1.2 let's use that" And apparently it's done this before so there's even less an excuse for it.

replies(1): >>rocqua+wt
9. jlgadd+Sj[view] [source] 2017-02-28 06:12:16
>>codero+(OP)
On the other hand, allowing stuff that you don't understand gives us things like the CSRF vulnerabilities in MongoDB and such.

In the case of a security appliance -- such as this -- it should, in my opinion, "fail closed".

replies(1): >>deatha+Rk
◧◩
10. deatha+Rk[view] [source] [discussion] 2017-02-28 06:28:16
>>jlgadd+Sj
Sorry, no. TLS is explicitly designed to allow smooth upgrading like this. This proxy is supposed to (in response to a client hello w/ TLSv1.3) respond with TLSv1.2 if that's what it supports. This is still a rigorous parsing of the input being given: nothing is "not understood": version negotiation is an inherent part of the protocol and is supposed to allow for painless upgrades to more secure protocols.

The RFC (which if you're implementing TLS, you should have open at all times) explicitly calls out exactly this behavior:

> Note: some server implementations are known to implement version negotiation incorrectly. For example, there are buggy TLS 1.0 servers that simply close the connection when the client offers a version newer than TLS 1.0.

The quality of this vendor's implementation is extremely suspect.

replies(1): >>rocqua+Dt
◧◩
11. deatha+jl[view] [source] [discussion] 2017-02-28 06:37:39
>>userbi+w7
I've written a similar rebuttal to your sibling's comment here[1].

This isn't "failing closed", and this isn't a whitelist. TLS allows you to whitelist to certain versions of the protocol during the initial negotiation at the start of the protocol; that is the opportunity for either end to state what version of the protocol they'd like. It is not permissible in the protocol to close the connection as Blue Coat is doing.

This isn't a downgrade attack, either: both server and client are free to choose their protocol version at the beginning. The client & server will later verify that the actual protocol in use is the one they intended; this is what prevents downgrades.

[1]: https://news.ycombinator.com/item?id=13751737

◧◩
12. nikanj+So[view] [source] [discussion] 2017-02-28 07:27:43
>>ehsank+k
The way this is going to be spinned, I promise you, is: Google released a new version of Chrome, and support for that upgrade is in BlueCoat v.next. Here's an invoice for the new license+consulting services for the upgrade.

In corporate environments, the last thing that changes is the thing that gets blamed. BlueCoat was not upgraded, Chrome was, and now things are broken? Not their fault.

◧◩
13. jarym+dt[view] [source] [discussion] 2017-02-28 08:31:24
>>234dd5+u5
The Bluecoat sales people did a number on you huh? Sounds really good until you ask 'why doesn't Bluecoat understand this traffic' - because it really should.
replies(1): >>icebra+1F
◧◩◪
14. rocqua+wt[view] [source] [discussion] 2017-02-28 08:37:45
>>tbrowb+wc
This is apparently a problem when bluecoat is used in non-mitm mode. That probably means bluecoat is merely inspecting the initial handshake, not modifying it. That would imply it can't actually modify the handshake.

It then simply inspects a connection it doesn't understand and 'fails closed' by preventing that connection.

◧◩◪
15. rocqua+Dt[view] [source] [discussion] 2017-02-28 08:39:06
>>deatha+Rk
The issue only occurs in non-mitm mode, probably meaning the box doesn't actually do the TLS handsake, instead merely inspecting it.
◧◩◪
16. icebra+1F[view] [source] [discussion] 2017-02-28 11:34:48
>>jarym+dt
TLS 1.3 is still quite new, doesn't seem outrageous that they take a bit to implement it.
replies(1): >>deatha+bB1
17. skywho+3M[view] [source] 2017-02-28 13:05:06
>>codero+(OP)
It's in BlueCoat's political interests to make sure TLS 1.3 rolls out as slowly as possible since it actively works against their entire business model, so they have zero incentive to be proactive about this until the TLS 1.3 extensions are approved that make MITM possible again.
◧◩◪◨
18. deatha+bB1[view] [source] [discussion] 2017-02-28 18:56:14
>>icebra+1F
This is a failure to implement any version of TLS correctly, not just v1.3. (TLS has support for version negotiation including receiving a hello from a client with a future version, such as v1.3.)
[go to top]