One-third of all HTTPS websites open to DROWN attack

Security researchers have discovered a new technique for deciphering the contents of supposedly secure communications.

The DROWN attack - it has already got a name, like recent high profile crypto attacks Lucky13, BEAST, and POODLE - is a “cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients”.

One version of the attack exploits a combination of thus far unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the earlier Bleichenbacher attack. “A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 250 offline work to decrypt a 2048-bit RSA TLS cipher-text,” the researchers explain.

Number-crunching using supercomputers is not needed to pull off the attack, which is way below the level of sophistication of intel agencies. A team of researchers from universities in Germany, the US and Israel as well as two OpenSSL developers - implemented the attack and can decrypt a TLS 1.2 handshake using 2048- bit RSA in under eight-hours using Amazon EC2, at a cost of $440.

Even cheaper attacks are possible by applying the new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. “Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS cipher-text in minutes on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers,” the DROWN researchers warned.

Fortunately OpenSSL is publishing a fix on Tuesday - OpenSSL versions 1.0.2g, 1.0.1s - to deal with the protocol flaw. Many systems are vulnerable to an attack that may be comparable with Heartbleed. “This flaw is more than a product vulnerability; it's a protocol flaw,” according to Ivan Ristic, a software engineer and founder of SSL Labs, “The impact is significant.”

Using internet-wide scans, the researchers found that 38 per cent of all HTTPS servers and 22 per cent of those with browser-trusted certificates are vulnerable to the protocol-level attack, due to widespread key and certificate reuse. Researchers reckon that around a quarter (26 per cent) of the top million sites listed by Alexa are vulnerable to breaking TLS through attacking SSL v2.

Urrgh.

In additional, the researchers discovered the QUIC protocol is vulnerable to a “variant of our attack that allows an attacker to impersonate a server indefinitely”.

“We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem,” the researchers conclude.

A paper on the research - DROWN: Breaking TLS using SSLv2 was put online on Tuesday.

Not only OpenSSL is vulnerable to the CVE-2016-0800 bug, as an advisory by Red Hat explains.

A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

The release of the research coincide with the start of the RSA Conference, infosec marketing's version of the Superbowl.

Some estimates suggest that up to two-thirds of all web servers use software reliant on open-source OpenSSL. Security watchers pay very close attention to OpenSSL vulnerabilities, particularly since the infamous Heartbleed attack of April 2014. DROWN is not as bad as Heartbleed but it’s comparable, which is bad enough in itself. ®