Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New TLS decryption attack affects one in three servers due to legacy SSLv2 support

Lucian Constantin | March 2, 2016
Researchers devise new technique to decrypt TLS connections between users and HTTPS servers that still support SSLv2.

Security researchers have discovered a new weakness that could allow attackers to spy on encrypted communications between users and one in three HTTPS servers.

The problem exits because many HTTPS servers still support the old and insecure SSL (Secure Sockets Layer) version 2 protocol. SSLv2 was superseded by SSLv3 in 1996, but only officially deprecated in 2011. SSLv3 was replaced, too, by the more modern TLS (Transport Layer Security) versions 1.0, 1.1 and 1.2.

SSLv2 should never be used for encrypted communications. However, security professional didn't see support for it in server configurations as posing a security threat until now, because modern browsers and other TLS-capable clients wouldn't use it.

But a team of security researchers has shown that premise to be incorrect.

In a newly released research paper, they showed that if an HTTPS server supports SSLv2, an attacker can exploit it to decrypt intercepted connections from its clients even if those connections are using the latest and most secure version of the TLS protocol.

Their attack, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), has several prerequisites, but is quite practical. First of all, the targeted HTTPS server needs to either support SSLv2 itself or to share its private key with another server that does so -- for example, an email server.

It's quite common for organizations to use the same private key or certificate for TLS implementations on both Web and email servers.

The attacker also needs to be in a position to observe several hundred TLS connections between a victim and a vulnerable server. They can do this by monitoring connections over a long period of time or by using malicious JavaScript to force the user's browser to repeatedly establish connections in the background with the targeted website.

Furthermore, the observed connections need to use the RSA key exchange algorithm during the handshake, but this shouldn't be a problem for attackers because RSA is still the most popular key exchange method in TLS implementations.

Once the attacker has the captured connections, he needs to connect to the server over the SSLv2 protocol and send specially crafted handshake messages that contain modifications of the RSA ciphertext copied from the client's TLS connections. These probes will fail, but the way the server responds to them will leak information about the secret keys used for the victim's TLS connections.

In the worst case scenario, an attacker would need to perform roughly 40,000 probe connections and 2^50 computations in order to decrypt one out of 900 observed TLS connections. Running the computations for the attack on Amazon's EC2 cloud computing platform would cost about US$440, the researchers estimated.

Establishing 40,000 HTTPS connections with a server might sound like a large number, but it's not. In tests with an Apache 2.4 server, the researchers completed 10,000 HTTPS requests in under 10 seconds.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.