Since this is a rather old topic with both sides having valid points I will keep this post short and sweet. I have had no time to measure of investigate in depth and I don't think I will find any.

Both have understandable view points, so let's have a look.


Secure renegotiation makes it easier - THC-SSL DoS
Short non technical background story, when SSL connections are setup they require server-side computational effort (RSA decryption), if you try to setup connections repeatedly this will consume a lot of ressources on the server and might lead to Denial of Service.

THC makes use of the secure renegotiation feature recently introduced to setup ssl connections repeatably, in fact they are using a security feature for abuse.

On the word press site it is claimed that :

Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack:
URLs :

By Design (Eric Rescorla)

Eric takes a very factual systematic approach to this issue, particularly with regards to the claim that the renegotiation feature makes it "more vulnerable to this attack". (Errata: I previously attributed the blog to Marsh Ray)

The holistic view point by Eric includes the total costs for the attacker to achieve this attack, this is a standard approach to weight whether a certain path an attacker can take is more costly for him and hence less likely to be chosen :
If I want to mount the old, multiple connection attack, I need to incur the following costs:
  1. Do the TCP handshake (3 packets)
  2. Send the SSL/TLS ClientHello (1 packet). This can be a canned message.
  3. Send the SSL/TLS ClientKeyExchange, ChangeCipherSpec, Finished messages (1 packet). These can also be canned.
 His viewpoint on the same exhaustion attack using the secure renegotiation mechanism that is claimed to be make it "more vulnerable" :
Now let's look at the "new" single connection attack based on renegotiation. I need to incur the following costs
  1. Do the TCP handshake (3 packets) [once per connection.]
  2. Send the SSL/TLS ClientHello (1 packet). This can be a canned message.
  3. Receive the server's messages and parse the server's ServerHello to get the ServerRandom (1-3 packets).
  4. Send the SSL/TLS ClientKeyExchange and ChangeCipherSpec messages (1 packet).
  5. Compute the SSL/TLS PRF to generate the traffic keys.
  6. Send a valid Finished message.
  7. Repeat steps 2-7 as necessary.
Eric goes on with :
Briefly then, we've taken an attack which was previously limited by network bandwidth and slightly reduced the bandwidth (by a factor of about 2 in packets/sec and less than 10% in number of bytes) at the cost of significantly higher computational effort on the attacker's client machines. Depending on the exact characteristics of your attack machines, this might be better or worse, but it's not exactly a huge improvement in any case.
and finally concludes with :
All the known defenses are about trying to make it easier to distinguish legitimate users from attackers before you've invested a lot of resources in them, but this turns out to be inherently difficult and we don't have any really good solutions
 I for one rest my case, there isn't anything more to say on this particular subject.

URL :
Recommendations  / FAQ
http://orchilles.com/2011/04/ssl-renegotiation-dos-faq.html



TOC

  • Introduction
  • Updates
  • Attacker Classes
  • Attacker Pyramid
  • Q&A

Updates

  • 24.10.2011 - Renamed "Business Asset" to "Typical Targeted Asset", added Sophistication Pyramid
  • 24.10.2011 - Added Q&A section
  • 17.05.2012 - Added my OWASP BeNeLux presentation, which is inline with the overall context and further explains the rationale
  • 17.05.2012 - Renamed "Targeted" to "Professional" in the pyramid for consistency

Introduction

At OWASP BeNeLux 2011 I presented The Rise of the Vulnerability Markets - History, Impacts, Mitigations, which sets out the reasoning behind the attacker-centric model and the impacts and motivations that follow from it - the pieces that make it useful as an input to threat modelling.

Attacker Classes

The model distinguishes four classes:

  • Opportunists
  • Targeting Opportunists
  • Professionals
  • State-Founded

Opportunists

This class covers bots, worms, mass malware, and script kiddies. They are opportunistic in the sense that they move on if they don't find a particular known vulnerability. Sophistication is relatively low, and to compensate they operate at scale.

Keywords: large scale, low-hanging fruit, low sophistication.

Targeting Opportunists

A more focused subset of Opportunists. They don't scan the internet at random and stop at whatever they stumble across; they pick a single organisation and probe it continuously, looking for weak spots.

Keywords: targeted at a specific organisation, continuous probing, more sophistication, more motivation.

Professionals

Digital mercenaries. Sophisticated attackers targeting specific organisations and assets over extended periods. This class does not stop at low-hanging fruit or a single attack vector - they pursue the objective by whatever means it takes. They are funded to some degree, and their skill level lets them develop new attack techniques and bypasses for exploit mitigations.

Keywords: targeted, motivated, sophisticated.

State-Founded

This class represents very well-funded and sophisticated attackers acting in the interests of nation states. Their targets are intellectual property, strategic assets, and classified information.

Keywords: targeted, specialised, Stuxnet.

Attacker Pyramid

The diagram below shows what I call the Attacker Pyramid. The left-hand pyramid shows the four attacker classes; the surface area of each layer indicates the relative number of threat agents in that class. The right-hand pyramid shows the assets each class is after, with the surface area indicating the relative value those assets represent to the business.

Attacker Classes and Sophistication

The pyramids above can be complemented by an inverse pyramid representing motivation, sophistication and funding.

Attacker Class Triad

The complete triad looks like this:

Q&A

What is the difference between this and Veris?

Veris is post-mortem - essentially an incident classification framework. There's no real link between Veris and the Attacker Pyramid. What's presented here is the concept of adjusting your defences to the highest attacker class expected (HAE). It serves as a framework to classify data and assets into buckets so you can zone and protect them accordingly.

Why "Attacker Class" and not "Threat Agent"?

The concept centres on malicious intent, not natural hazards or the other general categories that fall under "threat agent." I like the term "threat agent" and might swap "attacker class" for something else at some point, but I still think it captures motivation and intent more directly than the more generic label.