HTTPS DROWN flaw: Security bods' hearts sink as tatty protocols wash away web crypto
Reaction from the industry pours in
The discovery of a HTTPS encryption vulnerability, dubbed DROWN, again proves that supporting tired old protocols weakens modern crypto systems.
DROWN (aka Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects HTTPS websites and other network services that rely on SSL and TLS – which are core cryptographic protocols for internet security. As previously reported, about a third of all HTTPS servers are vulnerable to attack, the computer scientists behind the discovery of the issue warn.
DROWN basically allows a miscreant to snoop on and decrypt a victim's encrypted web connections, allowing crooks to swipe passwords and so on.
"DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data," said the research team.
A total of 15 experts from universities in the US, Israel and Germany contributed to a study which led to today's publication of the paper DROWN: Breaking TLS using SSLv2, available here [PDF].
Modern servers and clients use the TLS encryption protocol. However, due to sloppy configuration settings, many servers continue to support SSLv2, a 1990s-era predecessor to TLS. That sounds like an obvious weakness in security, but it didn't really matter up until now because no up-to-date software actually uses SSLv2 – apps and other programs tend to use TLS these days.
SSLv2 has been hopelessly insecure for years, however just supporting SSLv2 server-side was not generally considered a security problem because no client-side software was using it.
DROWN and out: Weak legacy tech KOs security
It's no great exaggeration to describe DROWN as a game changer.
DROWN shows that merely supporting SSLv2 puts modern servers and clients at risk. Hackers can exploit weaknesses in the v2 protocol to decrypt the communications between modern clients and servers – even if those clients and servers are using a stronger protocol to exchange information securely, such as TLS v1.2. The trick involves sending lots and lots of probes to a server that supports SSLv2 and reuses the same private key across multiple protocols.
In some situations, an attacker can impersonate a secure website and intercept or change the content the user sees, by running a man-in-the-middle attack.
Websites, mail servers, and other TLS-dependent services are at risk from the DROWN attack. Details of the security flaw were shared with software vendors before the researchers went public with their findings on Tuesday so patches should be available to shut down this issue.
Exploiting the DROWN flaw is not trivial, although the technically skilled can attack high-value targets without breaking the bank. The vulnerability's researchers reckon assaults can be mounted from a typical subscription-based cloud system for less than $500.
We're still fighting the first crypto war
Today is the first full day of the RSA Conference in San Francisco, and it was slated to feature talks and debate about the legal standoff between Apple and the FBI over decrypting information on a killer's iPhone. Instead, discussion in the halls is likely to turn to this fresh cryptographic security flap, which some say traces its origins back to attempts by the US government to cripple encryption back in the 1990s.
"90s 'export' grade weak encryption, then required by US govt, is 'pure poison'," said Christopher Soghoian, a principal technologist at the ACLU, in an tweet in his personal Twitter stream. "The US govt forced the tech industry to use weakened crypto in the 90s. The DROWN attack demonstrates the long-term cost of weakened crypto," he added.
More immediately, sysadmins will have their work cut out in dealing with the flaw.
Kyle Lady of mobile security firm Duo Security commented: "From the system administration perspective, this bug demonstrates the importance of holistic security assessment: it's not enough to just make sure that your web server is secure while leaving other components (like mail servers) with outdated and insecure configurations. SSLv2 was officially deprecated in 2011, so there really shouldn't be any servers that are willing to use it anyway, except for the fact that server software often ships with the most permissive cryptography settings for the sake of compatibility."
Developers would be well advised to draw lessons from the incident, Lady added. "This bug underscores the value of auditing not just new code but old code as well. Many recent OpenSSL vulnerabilities have been found in code that's been shipping for quite a few years, and the bugs just haven't been noticed. Additionally, new functionality in a program can open up a path for an attacker to exploit previously hidden bugs in old code," he concluded.
How DROWN abuses SSLv2 to attack TLS is explained by Ivan Ristic, director of engineering at cloud security firm Qualys, and author of Bulletproof SSL and TLS in a blog post here.
Ristic backs up the general expert opinion that "obsolete crypto is dangerous," advising IT staff to disable SSL v2 everywhere now. Ristic argues that previous crypto attacks have hinted at the inherent problems of supporting obsolete crypto technologies for some time.
"For many years the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway," Ristic concludes. "We heard the same thing before learning about Logjam, and also before FREAK. This approach is obviously not working. Instead, in the future we must ensure that all obsolete crypto is aggressively removed from all systems. If it's not, it's going to come back to bite us, sooner or later," he added.
Computer science professor Matthew Green provides an excellent overview of the DROWN vulnerability and its potential impact in a blog post, here. A picture in the blog post features a zombie, captioned with "SSLv2 export cipher," neatly summing up the general view of security experts. ®