This vulnerability affects parsing maliciously crafted certificates, so it will mostly affect clients. If your app is fetching data from a 3rd party and validating its certificate, it may be vulnerable, regardless of how you are fronting requests to your site.
For an intermediary like a WAF, load-balancer, or CDN to help it needs to do all of the certificate processing and keep your backend app from seeing the certificate at all. If you are terminating HTTPS at the edge and using HTTP internally that's very likely but if you're using an NLB instead of an ALB, it's not. Similarly, you'd also want to see if there's any application-level path where a certificate would be included in an uploaded file but that's far less common.
Depends if s2n is vulnerable to the same bug. Of course AWS doesn't protect you against application bugs so if your application has an SSRF vulnerability (presumably otherwise unexploitable) an attacker might be able to DoS you.
They don't mention S/MIME or things like signed binaries or SAML assertions but those seem plausibly vulnerable as well.
how is it even possible to have the question of whether there can be an infinite loop during establishing a data channel? just make the user provide the public key and do a handshake [1]. X.509 is literally a non-practical academic idea like CSS. software is bad because everyone accepts bad ideas.
1. yes, having things done the right way where they need to be done makes sense. think of the user after. for instance, you could just make his stupid cloud device aggregate all the keys he needs automatically
> X.509 is literally a non-practical academic idea
Non-practical but https has been running on it for decades now?
Yeah there are issues with it and as someone that's worked with it a lot at the profile design and issuing level, I think it's high time we came up with a replacement and ditched ASN.1 entirely. But ...
It's hard to see it as a non-practical, academic idea when it's out there, deeply embedded in the internet, everywhere.
> just make the user provide the public key
Doesn't solve the problems X.509 addresses. There's a lot more going on than a method to exchange keys.
> It's hard to see it as a non-practical, academic idea when it's out there, deeply embedded in the internet, everywhere.
It is non-practical, has no application in reality, and the direct consequence of using such a tool is massive security problems being disclosed every year.
> Doesn't solve the problems X.509 addresses.
What problem does X.509 address? Not only is it needlessly centralized, but your connection can be intercepted as long as one single CA anywhere is compromised. The "solution" to this is to log what certs each client got, reducing their privacy because this would allow us to detect when an attack happened, after it already happened (followed by a barrage of petty arguments like "w-well, it would disincentivize an attacker"). Also, a domain name that sounds kind of like the company you want to connect to is not proof that you have the right domain name. You still have to ask them for the right domain name, at which point you may as well have just received their public key. The alternative is to do this dog shit thing you guys keep doing where you complain about Google search not being regulated enough and enact more ad-hoc laws many of which backfire. Imagine search engines having to do work to find the "real" domain for some company. This is 10th level stupidity, we could not have got here without several other generations of stupidity becoming normalized prior.
How do you prevent it from being sent to the wrong domain and enabling MITM phishing?
X.509 has a lot of issues but they've thought through a number of things. Whatever you replace it with would have similar problems. Even if you "just sent a key" it would have to be parsed in some way (Say it's RSA, you'd still have to pull the module and exponent out before you could do anything with it, if the channel is text you'd probably do some base64 decoding etc.)
In particular:
"
In OpenSSL, this loop resulted in a DoS vulnerability, CVE-2022-0778.
BoringSSL is mostly unaffected by this. In particular, this case is not
reachable in BoringSSL from certificate and other ASN.1 elliptic curve
parsing code. Any impact in BoringSSL is limited to:
- Callers of EC_GROUP_new_curve_GFp that take untrusted curve parameters
- Callers of BN_mod_sqrt that take untrusted moduli"
Readit News
Actually, it is the opposite.
You seem to be unaware of the fact that servers do receive certificates from the clients which are then parsed.
Which is already mentioned in the advisory document:
They don't mention S/MIME or things like signed binaries or SAML assertions but those seem plausibly vulnerable as well.
they removed a lot of cruft, but this is needed
1. yes, having things done the right way where they need to be done makes sense. think of the user after. for instance, you could just make his stupid cloud device aggregate all the keys he needs automatically
Non-practical but https has been running on it for decades now?
Yeah there are issues with it and as someone that's worked with it a lot at the profile design and issuing level, I think it's high time we came up with a replacement and ditched ASN.1 entirely. But ...
It's hard to see it as a non-practical, academic idea when it's out there, deeply embedded in the internet, everywhere.
> just make the user provide the public key
Doesn't solve the problems X.509 addresses. There's a lot more going on than a method to exchange keys.
It is non-practical, has no application in reality, and the direct consequence of using such a tool is massive security problems being disclosed every year.
> Doesn't solve the problems X.509 addresses.
What problem does X.509 address? Not only is it needlessly centralized, but your connection can be intercepted as long as one single CA anywhere is compromised. The "solution" to this is to log what certs each client got, reducing their privacy because this would allow us to detect when an attack happened, after it already happened (followed by a barrage of petty arguments like "w-well, it would disincentivize an attacker"). Also, a domain name that sounds kind of like the company you want to connect to is not proof that you have the right domain name. You still have to ask them for the right domain name, at which point you may as well have just received their public key. The alternative is to do this dog shit thing you guys keep doing where you complain about Google search not being regulated enough and enact more ad-hoc laws many of which backfire. Imagine search engines having to do work to find the "real" domain for some company. This is 10th level stupidity, we could not have got here without several other generations of stupidity becoming normalized prior.
Which format?
What algorithim?
How do you prevent it from being sent to the wrong domain and enabling MITM phishing?
X.509 has a lot of issues but they've thought through a number of things. Whatever you replace it with would have similar problems. Even if you "just sent a key" it would have to be parsed in some way (Say it's RSA, you'd still have to pull the module and exponent out before you could do anything with it, if the channel is text you'd probably do some base64 decoding etc.)
> How do you prevent it from being sent to the wrong domain and enabling MITM phishing?
TOFU. Petnames.
> it would have to be parsed in some way
Encoding a key is trivial, even with an ad-hoc serialization format. Nothing near what X.509 does.
In particular: " In OpenSSL, this loop resulted in a DoS vulnerability, CVE-2022-0778. BoringSSL is mostly unaffected by this. In particular, this case is not reachable in BoringSSL from certificate and other ASN.1 elliptic curve parsing code. Any impact in BoringSSL is limited to:
- Callers of EC_GROUP_new_curve_GFp that take untrusted curve parameters - Callers of BN_mod_sqrt that take untrusted moduli"
:D :D :D