In the ongoing saga of our quest for powerful encryption online for all, free from backdoors and government restrictions, this week we stumbled again over the inherent brokenness of what the existing standard is. Yet again, there is a massive vulnerability impacting the TLS or transport layer security. And it stems back to a very short-sighted decision by the US Gov’t during the ’90’s.
DROWN attack renders messages vulnerable that are sent online between HTTPS servers – yes, that is correct, you saw the letter ‘s’. When stuff like this happens, it kind of defeats the whole purpose of making things HTTPS. The acronym is pretty self-explanatory. It stands for “Decrypting RSA using Obsolete and Weakened eNcryption”. Obsolete and Weakened says it all.
The impact is huge. It means that TLS connections to over 33% of HTTPS servers are open to attack using fairly fast and easy methods. That’s the other problem. The attackers won’t have to work hard for the money on this one. More about how later.
TLS matters because encryption matters, so it is the most important security protocol on the internet. It began as SSL, or Secure Socket Layer, back when dinosaurs sat in power. And if we recall from previous briefs about similar problems, those stem back to the US government meddling in the ‘90s and making encryption work for their purposes ie dumbing it right down to do business abroad.
So the cause, simply put, is dangerously outdated SSLv2. Gone but so not forgotten.While browsers or clients have gotten rid of SSLv2, many servers still support the protocol. This can be attributed to carelessness and obsolete embedded devices that don’t get updated. And while OpenSSL was supposed to offer a configuration option to disable SSLv2 ciphersuites, it doesn’t seem to be working because even when that option is selected or set, clients still can choose the SSLv2 option. Here is an excellent explanation of why this is so serious by cryptography expert Matthew Green, and you can read his thoughts in detail in his recent blogpost on DROWN
If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client toever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.
So what happens is that a server is using both SSL/TLS. Double the flavour, double the fun would necessitate separate certificates and private keys. Except that people don’t want to do more or pay more: so they use the same thing on both. And yes, Virginia, a buggy SSLv2 will impact the security of TLS.
NOTE: a patch for this matter was issued in January but not well publicized. This doesn’t help because we need folks to get the patches up on their systems. Otherwise, we have what is still ongoing because of Shellshock Bash. Unpatched instances propogating exploits. So please, do everyone a favour and patch your systems.
How does the bad stuff happen? In what is called a cross-protocol attack. It uses bugs in one protocol say SSLv2 to attack the security of connection made in another and different protocol ie TLS. The irony is that while TLS is designed to defend against well-known attacks on this encryption SSlv2’s export suites have been proven not to do that (via the Bleichenbacker Attack, and that’s all you really need to know about it here).
What we need to acknowledge is just how realistic an attack actually is. The answer is very. It will only cost a few hours and $440 dollars using the available power of Amazon EC2. The attacker would watch about 1000 TLS handshakes to find a vulnerable RSA ciphertext, use 40000 queries to the server and 2to the 50th offline operations. That may sound like a lot, but it really isn’t given today’s resources. We know attacks only get faster and more sophisticated. Researchers have now found a new version that can decrypt a TLS RSA ciphertext in ONE minute on a single CPU core.
What can you do? Start by checking your systems. Follow this link here: https://test.drownattack.com/ (the link is safe). While there is a patch again that should help, it only works when applied. The DROWN Attack site will help you to learn more about how this vulnerability impacts various systems and how to disable SSLv2.
Read more here:
Hope that was helpful! Thanks for reading.