Flaw in TLS implementations can allow hackers to eavesdrop HTTPS encryption

News by Rene Millman

Security researchers have discovered an attack method that exploits side-channel information to downgrade most current TLS implementations hence browsers are still vulnerable to TLS attack

Security researchers have discovered an attack method that exploits side-channel information to downgrade most current TLS implementations.

According to an academic paper by scientists at the Weizmann Institute, the University of Adelaide, and the University of Michigan, the hack is an updated version of a padding oracle attack.

Although the ‘RSA key exchange’ mechanism has been deprecated for many years, the attack succeeds by being able to force vulnerable servers to downgrade from more secure mechanisms to this older mechanism, and to do so within the timeouts present in many browsers. 

The researchers tested nine fully patched implementations of various RSA-based security protocols (OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, GnuTLS, BearSSL and BoringSSL).

"Notably, out of the nine evaluated implementations, only the last two (BearSSL and BoringSSL) could not be successfully attacked by our new techniques," said researchers.

The paper, titled "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations", and co-authored by Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom, said that data available from cache-based side channels provides a way around browser mitigations against padding oracle attacks.

One such attachment is known as FLUSH+RELOAD where an attacker first evicts (flushes) a memory location from the cache. The attacker then waits a bit, before reloading the flushed location again, while measuring the time that this reload takes.

"If the victim accesses the same memory location between the flush and the reload phases, the memory will be cached, and access will be fast. Otherwise, the memory location will not be cached and the access will be slower. Thus, the attacker deduces information regarding the victim’s access patterns to a given address," said researchers.

The researchers said that the attack showed that padding oracle attacks can be made extremely efficient, via more careful analysis and novel parallelisation techniques.

"While the use of RSA key exchange is declining, padding oracles can be used to mount downgrade attacks, posing them as a threat to the security of a much larger number of connections (including those done via protocols that do not even support the RSA key exchange)," they said.

Researchers made several recommendation, one of which being a deprecation of RSA Key Exchange and switch to (Elliptic Curve) Diffie-Hellman key exchanges.

Martin Thorpe, enterprise architect at Venafi, told SC Media UK that this attack demonstrates once again the importance of controlling machine identities - the cryptographic assets used to secure private communication between ‘machines’, such as hardware, software, platforms, containers, algorithms, apps and websites.

"It also shows the importance of keeping security-critical software and systems patched and up to date. Vendors of the core cryptographic libraries have already released updates and enterprises need to update affected systems with the latest software," he said.

"If it is not possible to patch affected systems, there are some mitigations that can be applied to make the attack harder to mount. Many organisations use load balancers or similar devices at the outer edges of their services, and frequently the same certificate and key is used across all of those load balancers. Effective control over machine identities and using different certificates and keys would make the attack more difficult to perform and reduce the likelihood of it succeeding before a customer browser aborted the connection."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews