FalseCONNECT Vulnerability Affects Software From Apple, Microsoft, Oracle, More

An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.

Re:

[Oswald McWeany]

My vote is for both: It requires an imperfect user using imperfect software.

Re:

[Gr8Apes]

Seems like this is an issue only for those going through a proxy server. No HTTP proxy, no problem. So this affects a minor smidgen of users in the world, and only those that are smart enough to set one up in the first place. (Companies that set this up should be smart enough to deal with this problem)

Re:

[93 Escort Wagon]

Uh... don't a lot of ISPs use proxies without necessarily letting their customers know?

Re:

[Gr8Apes]

Not in my experience. I don't use any ISP anything on my system. If you installed ISP software.... well, that's a personal problem.

Re:

[darkain]

Then you don't understand the tech at hand. The parent was talking about transparent proxies sitting within the ISPs network itself. And yes, this is actually a thing that exists within many ISPs.

Re:

[93 Escort Wagon]

Not only that - I believe ISPs also use them to cut down on the amount of data they are retrieving from networks other than their own.

Re: Tricks victims into reauthenticating

[buchanmilne]

ISPs don't use proxies for that.

The two most common ways to track usage (in DSL/fibre networks, I am not that familiar with cabke) are:
- RADIUS accounting from the BNG where the PPP (e.g. PPPoE) session terminates
- From a DPI-basen in-line system (3GPP terminology is 'PCEF'). This can also typically be used from enabling transparent caching (but that can also be done with e.g. WCCP on a router in-linr IIRC, but DPI can make better decisions on what traffic to send to caches).

But, typically there isn't authe

Re:

[mr_mischief]

Actually RADIUS can do that. The proxies are for tracking your activity.

Re:

[Gr8Apes]

I have to allow my browser to be configured to use a network proxy. They're not. HTTPS / TLS prevents supposedly exactly what you're discussing, unless the entire CA cert chain of trust has been compromised, admittedly possible and likely more common than we wish to know, but in that case you're already compromised.... I also tend to proxy to localhost via ssh tunnels for a variety of things that require that sort of thing. That type of proxying is not subject to these attacks at all, as I control all aspec

Re:

[sjames]

Unfortunately, some browsers will discover proxys as well. So if no proxy is in use, the bad guy can set one up and get everyone's browser to use it. That doesn't let them sniff the HTTPS traffic, but it does let them ask for a login. In a corporate environment, you can count on a lot of people entering their corporate login without a second thought.

Re:

[halivar]

FLOSS isn't "out in the open;" it's unknown. We don't KNOW that it's affected, and the "may be affected" line in the summary is purely speculative. The known affected parties were notified and given a short time to fix, as is standard procedure. If these security bug disclosure sites had unlimited resources, no one would be out in the cold. Alas, it cannot be.

Re:

[darkain]

Google uses Blink now, not WebKit... because it is OMGs so different! https://en.wikipedia.org/wiki/... [wikipedia.org]

In other words

[ThatsNotPudding]

In other words, NOTHING online is secure, nor ever was.

We're all wearing the Emperors' New Clothes; some of us just haven't been embarrassed about it yet.