DC++ 0.851

A new security & stability update of DC++ has been released today.

There are no user visible new features this time; besides the latest OpenSSL security fixes and hardening secure connection further by disallowing weak ciphersuites this DC++ version largely focuses on mitigating malicious situations where DC++ can be used for distributed denial of service (DDoS) attacks when beeing logged in to certain malevolent NMDC hubs.

Please note that most, if not all previous DC++ versions are affected of this problem therefore this release is highly recommended for everyone still using any older DC++ versions. Once all maintained NMDC hub software implements the mitigation for this problem it is highly probable that many existing hubs will require this DC++ release as the minimum version to use.

If no critical issues found, DC++ 0.851 should be marked as the new stable DC++ release within a short period of time.

For the complete list of changes in version 0.851, please explore the changelog.

DC++ 0.850

The first new DC++ release in the last nine months, version 0.850 fixes and hardens security related functions further notably to avoid all popular TLS exploits emerged since last April.

This release also contains stability and performance updates of various 3rd party libraries and improvements of the latest version of the compiler.

For complete list of fixes and upgraded libraries, please explore the changelog items and the linked bug discussions.

DC Development hub revived

Following a two-month-long hiatus, adcs://hub.dcbase.org:16591 hosts the DC development hub again.

DC++ 0.842

The first stable release of the 0.840 series of DC++ is out. Besides a few SSL encryption related and stability fixes this version largely focuses on implementing various features asked for or recommended by the user community through our feature tracker.

The changelog shows all the implemented new features and fixes.

DC++ 0.842 also provides protection against the infamous “Heartbleed” OpenSSL vulnerability. This security hole has existed in DC++ since version 0.799.

There’s a high chance of version 0.842 is the last mainstream DC++ release that supports Windows XP.  Due to the still large userbase of the already unsupported operating system, security and major stability fixes are possible for a few more months using a separate branch targeting XP only. The update reminder system is modified so in case of any forthcoming version targeting Vista and later being released, XP users won’t see the notification dialog anymore.

From that time on people running Windows XP will see the update nag dialog only if there’s an update targeting their old OS. However, starting with version 0.840 every XP user gets a special reminder at startup about the EOS of DC++ in their operating system.

Due to the nice new features and security fixes the upgrade is highly recommended.

DC++ 0.831

A new bug fixing service release of DC++ has been released today fixing the following problems introduced with version 0.830:

  • One of the bugs, marked as critical, prevents DC++ to respond to TTH searches on NMDC hubs.
  • A problem with too small protocol command size limits can cause problems for hubs sending large user commands.
  • The newly introduced direct encrypted private message channels are getting disconnected after some idle time.

All the fixed problems exist in version 0.830 only thus older versions are not affected. For users running DC++ 0.830 the upgrade is highly recommended.

DC++ 0.830

Today we marked the first version of  the 0.83x series of DC++ as stable. The new release brings plenty of stability updates as well as introduces a new ADC feature to improve privacy.

The privacy improvement is actually an implementation of an ADC protocol extension called CCPM. Basically, it allows two peers to initate an SSL encrypted direct connection channel for sending and receiving private messages.

Until now, all private messages in the DC network has been gone through a hub where both users were logged in. While this method is great for controlling unwanted messages (spamming) it also makes possible for the hub owner to spy on any private communications.

Enter CCPM, a feature that still needs a hub to initiate the direct encrypted connection but the hub is needed only for the start. After the direct channel has been estabilished the messages go directly between the peers in an encrypted way. The channel initiation requires the two users to be logged on a secure ADC hub (ADCS).

The whole discussion of the protocol features and CCPM implementation can be found here (the implementation details with screenshots starts in this position of the thread). The built-in help of DC++ also describes the feature in the Private message window page and the availabe controlling options in the Certificates’ settings page (once updated, links will be added to  the web version of the DC++ help, too).

The list of other fixes in version 0.830 speak for themselves yet again this time, explore the changelog items and the linked bug discussions in them for more information.

BEAST, CRIME, BREACH, and Lucky 13: Assessing TLS in ADCS

1. Summary

Several TLS attacks since 2011 impel a reassessment of the security of ADC’s usage of TLS to form ADCS. While the specific attacks tend not to be trivially replicated in a DC client as opposed to a web browser, remaining conservative with respect to security remains useful, the issues they exploit could cause problems regardless, and ADCS’s best response thus becomes to deprecate SSL 3.0 and TLS 1.0. Ideally, one should use TLS 1.2 with AES-GCM. Failing that, ensuring that TLS 1.1 runs and chooses AES-based ciphersuite works adequately.

2. HTTP-over-TLS Attacks

BEAST renders practical Rogaway’s 2002 attack on the security of CBC ciphersuites in SSL/TLS by using an SSL/TLS server’s CBC padding MAC acceptance/rejection as a timing oracle. Asking whether each possible byte in each position results in successful MAC, it decodes an entire message. One can avert BEAST either by avoiding CBC in lieu of RC4 or updating to TLS 1.1 or 1.2, which mitigate the timing oracle and generate new random IVs to undermine BEAST’s sequential attack.

CRIME and BREACH build on a 2002 compression and information leakage of plaintext-based attack. CRIME “requires on average 6 requests to decrypt 1 cookie byte” and, like BEAST, recognizes DEFLATE’s smaller output when it has found a pre-existing copy of the correct plaintext in its dictionary. Unlike BEAST, CRIME and BREACH depend not on TLS version or CBC versus RC4 ciphersuites but merely compression. Disabling HTTP and TLS compression therefore avoids CRIME and BREACH.

One backwards-compatible solution thus far involves avoiding compression due to CRIME/BREACH and avoiding BEAST with RC4-based TLS ciphersuites. However, a new attack against RC4 in TLS by AlFardan, Bernstein, et al exploits double-byte ciphertext biases to reconstruct messages using approximately 229 ciphertexts; as few as 225 achieve a 60+% recovery rate. RC4-based ciphersuites decreasingly inspire confidence as a backwards-compatible yet secure approach to TLS, enough that the IETF circulates an RFC draft prohibiting RC4 ciphersuites.

Thus far treating DC as sufficiently HTTP-like to borrow their threat model, options narrow to TLS 1.1 or TLS 1.2 with an AES-derived ciphersuite. One needs still beware: Lucky 13 weakens even TLS 1.1 and TLS 1.2 AES-CBC ciphers, leaving between it and the RC4 attack no unscathed TLS 1.1 configuration. Instead, AlFardan and Paterson recommend to “switch to using AEAD ciphersuites, such as AES-GCM” and/or “modify TLS’s CBC-mode decryption procedure so as to remove the timing side channel”. They observe that each major TLS library has addressed the latter point, so that AES-CBC might remain somewhat secure; certainly superior to RC4.

3. ADC-over-TLS-specific Concerns

ADCS clients’ and hubs’ vulnerability profiles and relevant threat models regarding each of BEAST, CRIME, BREACH, Lucky 13, and the RC4 break differ from that of a web browser using HTTP. BEAST and AlFardan, Bernstein, et al’s RC4 attack both point to adopting TLS 1.1, a ubiquitously supportable requirement worth satisfying regardless. OpenSSL, NSS, GnuTLS, PolarSSL, CyaSSL, MatrixSSL, BouncyCastle, and Oracle’s standard Java crypto library have all already “addressedLucky 13.

ADCS doesn’t use TLS compression, so that aspect of CRIME/BREACH does not apply. The ZLIB extension does operate analogously to HTTP compression. Indeed, the BREACH authors remark that:

there is nothing particularly special about HTTP and TLS in this side-channel. Any time an attacker has the ability to inject their own payload into plaintext that is compressed, the potential for a CRIME-like attack is there. There are many widely used protocols that use the composition of encryption with compression; it is likely that other instances of this vulnerability exist.

ADCS provides an attacker this capability via logging onto a hub and sending CTMs and B, D, and E-type messages. Weaponizing it, however, operates better when these injected payloads can discover cookie-like repeated secrets, which ADC lacks. GPA and PAS operate via a challenge-reponse system. CTM cookies find use at most once. Private IDs would presumably have left a client-hub connection’s compression dictionary by the time an attack might otherwise succeed and don’t appear in client-client connections. While a detailed analysis of the extent of practical feasibility remains wanting, I’m skeptical CRIME and BREACH much threaten ADCS.

4. Mitigation and Prevention in ADCS

Regardless, some of these attacks could be avoided entirely with specification updates incurring no ongoing cost and hindering implenetation on no common platforms. Three distinct categories emerge: BEAST and Lucky 13 attacks CBC in TLS; the RC4 break, well, attacks RC4; and CRIME and BREACH attack compression. Since one shouldn’t use RC4 regardless, that leaves AES-CBC attacks and compression attacks.

Disabling compression might incur substantial bandwidth cost for little thus-far demonstrated security benefit, so although ZLIB implementors should remain aware of CRIME and BREACH, continued usage seems unproblematic.

Separately, BEAST and Lucky 13 point to requiring TLS 1.1 and, following draft IETF recomendations for secure use of TLS and DTLS, preferring TLS 1.2 with the TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 or other AES-GCM ciphersuite if supported by both endpoints. cryptlib, CyaSSL, GnuTLS, MatrixSSL, NSS, OpenSSL, PolarSSL, SChannel, and JSSE support both TLS 1.1 and TLS 1.2 and all but Java’s supports AES-GCM.

Suggested responses:

  • Consider how to communicate to ZLIB implementors the hazards and threat model, however minor, presented by CRIME and BREACH.
  • Formally deprecate SSL 3.0 and TLS 1.0 in the ADCS extension specification.
  • Discover which TLS versions and features clients (DC++ and variations, ncdc, Jucy, etc) and hubs (ADCH++, uHub, etc) support. If they use standard libraries, they probably all (except Jucy) already support TLS 1.2 with AES-GCM depending on how they configure their TLS libraries. Depending on results, one might already safely simply disable SSL 3.0 and TLS 1.0 in each such client and hub and prioritize TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 or a similar ciphersuite so that it finds use when mutually available. If this proves possible, the the ADCS extension specification should be updated to reflect this.
Follow

Get every new post delivered to your Inbox.

Join 30 other followers