For those of you paying attention to mailing lists early last night, you may have noticed a curious email come through, regarding a “Truly scary” SSL3.0 vulnerability about to drop – and drop it did today.
The vulnerability, known as
, allows attackers to partially decipher bits of plaintext, such as session cookies, in conjunction with a man-in-the-middle attack where an attacker can modify traffic. The really scary part (imo) is on Page 3 of the whitepaper:
The expected overall effort is 256 SSL 3.0 requests per byte.
This is amazingly low, meaning that depending on the circumstances of exploitation, your typical web app session cookie can be broken in minutes.
With the rising popularity of iPhone and iPad devices, we are running into more and more applications which require a valid SSL certificate for all connections. In order to properly assess the security of these applications, we need to intercept the SSL connections they make. This post shows our technique for doing this.
Please note that this is not a vulnerability in iOS, and that everything is working as intended. This is the method we use for intercepting SSL connections made by iOS applications, and assumes you’re already able to forward such connections (using pf, iptables, or something similar) to your machine. This also assumes that you will be using burp suite proxy
Firstly, set up a working directory. This blog post assume you’re working with the following working directory structure:
echo 01 > serial
Then, copy your “openssl.cnf” file from somewhere in “/etc” into “conf/caconfig.cnf”
The location of your “openssl.cnf” file may vary “find /etc | grep openssl.cnf” may help.