Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New TLS decryption attack affects one in three servers due to legacy SSLv2 support

Lucian Constantin | March 2, 2016
Researchers devise new technique to decrypt TLS connections between users and HTTPS servers that still support SSLv2.

The attack is significantly easier to pull off against servers that use a version of the OpenSSL library that's vulnerable to two known flaws.

One of the vulnerabilities is tracked as CVE-2015-3197 and allows a DROWN attacker to connect to the server using disabled SSLv2 cipher suites, if support for SSLv2 itself is enabled. This vulnerability was patched in OpenSSL versions 1.0.1r and 1.0.2f, released on Jan. 28.

The second vulnerability CVE-2016-0703 greatly reduces the time and cost of carrying out the DROWN attack and stems from a bug that was patched in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf back in March 2015, before that flaw's implications were understood and reported to the OpenSSL project.

For servers that are vulnerable to CVE-2016-0703, meaning they last updated their OpenSSL library before March 2015, the DROWN attack can be carried out in less than a minute using a single PC.

The researchers scanned the Internet for vulnerable servers that accept SSLv2 connections over ports associated with SSL/TLS communications: port 443 (HTTPS), port 25 (SMTP with STARTTLS), 110 (POP3 with STARTTLS), 143 (IMAP with STARTTLS), 465 (SMTPS), 587 (SMTP with STARTTLS), 993 (IMAPS) and 995 (POP3S).

They found that 17 percent of all HTTPS servers were directly vulnerable to the generic DROWN attack version. Furthermore, 25 percent of SMTP with STARTTLS servers, 20 percent of POP3S and IMAPS servers and 8 percent of SMTPS servers were vulnerable.

They also found many HTTPS servers that don't support SSLv2 directly, but share the same private key with other Web or email servers that do support it. This makes those non-SSLv2 servers vulnerable too, raising the overall percentage of affected HTTPS servers to 33 percent.

Fortunately, vulnerable servers don't need to replace their certificates, because DROWN doesn't expose their long-term private keys. Instead, the attack only exposes the secret keys negotiated by clients and servers for specific sessions.

It's still a big problem because decrypting even a single session could expose a user's log-in credentials, session cookies and other personal and financial information. However, the attacker would need to execute the DROWN attack for each user.

Server administrators need to ensure they have disabled support for SSLv2 on their servers. The researchers have provided instructions on how to do that for some of the most common TLS libraries and Web servers.

Administrators should also ensure that even if a server doesn't support SSLv2, its private key is not reused on other servers that might. The researchers released a test tool that determines if a server is vulnerable and is affected by key reuse.

An estimated 25 percent of all HTTPS-enabled websites in Alexa's top million traffic list are vulnerable. This includes popular sites like yahoo.com, weibo.com, 360.cn, alibaba.com, buzzfeed.com, weather.com, flickr.com, and dailymotion.com.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.