In the past years encrypted communication has been subject to intense scrutiny by researchers. With the advent of Transport Layer Security (TLS) Internet communication via HTTP became a lot more secure. Its predecessor Secure Sockets Layer (SSL) must not be used any more. The real world has its own ideas. SSLv2 and SSLv3 is still present. Attackers can try to downgrade the TLS session by switching to insecure ciphers. When using the correct configuration, these downgrade attacks cannot happen. The question is: Are all of your devices, applications, and systems correctly configure? If you are not sure, better check again. In order to illustrate how these attacks work, we have invited Nimrod Aviram for DeepSec 2016. He will explain the inner workings of the DROWN attack.
We present a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Our research introduces two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext an attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 250 offline work. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048- bit RSA in under 8 hours at a cost of $440 on Amazon EC2. Using Internet-wide scans we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse.
For an even cheaper attack we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle we can decrypt a TLS ciphertext in one minute on a single CPU. This is fast enough to enable a man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack.
We further observe that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 217 SSLv2 connections and 258 offline work.
We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.
Nimrod Aviram received a B.Sc. in Mathematics and Computer Science from Tel Aviv University. He is now a PhD student at The Department of Electrical Engineering at Tel Aviv University. Nimrod’s research interests include various topics in applied cryptography and Internet traffic.