DROWN - A New Critical Encryption Vulnerability

[colonel_mortis]

Sources:

Original source: https://drownattack.com/

Paper: https://drownattack.com/drown-attack-paper.pdf (22 pages)

OpenSSL Guide: https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/

Ars Technica: http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

This blog post

 

Security researchers have disclosed a new critical security vulnerability which can allow encrypted traffic to be decrypted in a reasonable time by an attacker. This attack works against traffic encrypted using any version of SSL or TLS, but requires that SSL v2 (which was superseded by SSL v3 in 1996 and formally deprecated in 2011) is enabled on the server, or on another server that is using the same private key. It also requires that export grade ciphers (also deprecated) are enabled on the server.

The researchers estimate that this affects around 33% of HTTPS enabled sites - a scarily large proportion. Furthermore, about 79% of those sites are vulnerable to a special version of the attack, which is significantly faster.

 

How the attack works (at a fairly high level, read the blog post or the paper for more technical details):

Encryption makes wide use of padding, where extra information is added to the end of the message so that it's a standard length prior to being encrypted. If an attacker sends random data, with a few requests and some offline brute force attacks (against 40 bit export ciphers, which are not particularly strong, and are not used at all any more (we use 128 bit encryption these days, and each bit approximately means a doubling in security)), it is possible to determine whether the random data had valid padding or not. Through some complex mathematics and lots of rounds of this, within about 8 hours, it is possible to obtain sufficient information about an encrypted message that the message can then be decrypted.

In addition, while researching the vulnerability, the researchers discovered that it is possible to use a modified version of this attack against slightly older versions of OpenSSL (released prior to March 2015) that would allow the data to be decrypted within a couple of minutes.

 

Do I need to change my passwords/have my details been stolen?

Probably not. This attack is very complicated to set up, so it is likely to be some time before attackers are able to set it up. They also need to run a passive Man-In-The-Middle attack against your connection to intercept the encrypted traffic, and they would need to capture a large number of requests to get one that is usable - only about 1 in every 1000 requests are vulnerable.

If the site is running a secure version of OpenSSL, or is using a different encryption library, decrypting one request would probably take a few hours when using Amazon's cloud compute services, and would cost $440. Your password probably isn't worth that much, but some things are.

If it is running a vulnerable version, the attack is more feasible, but it's still unlikely that your data has been compromised.

 

What can I do?

If you're just a regular website user, there is nothing that you can do, except not using untrusted internet connections.

If you're a website owner, you should disable SSLv2 (and SSLv3 for good measure) and export cipher suites as soon as possible. You can check whether your site is vulnerable, and get instructions for how to fix it, on the DROWN information page.

 

LinusTechTips.com is not currently vulnerable to this attack (it has been fixed since the scanner checked it).

 

Note that I'm not a security expert, and my "how the attack works" section was only a very high level overview, so I suggest that you read the sources linked above if you're interested. If you spot any mistakes in this article, please let me know.

[Aytex]

All i have is 3 dollars in my paypal account so, I guess if they hack that I could care less

(poor man's life) :*(

scary stuff though

[Nineshadow]

Poor SSL got hit again.

[Trixanity]

I have one question: who the hell comes up with these vulnerability names? 

[AlbinoTexan]

2 minutes ago, Trixanity said:

I have one question: who the hell comes up with these vulnerability names? 

the ones to find out about it

[Naeaes]

Found out something funny. ssl.com is partly vulnurable.

[Yummychickenblue]

11 minutes ago, Aytex said:

All i have is 3 dollars in my paypal account so, I guess if they hack that I could care less

(poor man's life) :*(

scary stuff though

Every little bit helps.

[BuckGup]

Is this why the website went down for a sec

[vanished]

Interesting.  At first this sounded pretty bad, then it sounded like only woefully obsolete systems would be vulnerable so this must not matter, like, at all, then saw that apparently 1/3 sites are woefully obsolete

 

10/10 would fear security holes again

[PCgamer324]

ooh fun stuff

 

forgot to add

 

 

 

thanks clinton

 

 

 

 

 

 

if you got the meme you are a person otherwise kill yourself because you're not even real anymore

[SpaghettiCarbonara]

5 hours ago, Nineshadow said:

Poor SSL got hit again.

Honestly I can't help feeling good about it. Every time an exploit is found, it's fixed and encryption becomes stronger. Maybe I'm wrong, but the more this happens, the better.

[straight_stewie]

I'm not to worried about stuff like this. It usually is fixed pretty quick and most times it only affects outdated versions anyway. APTs are much more worrying. I mean modifying MBRs? That's a real trick.

[qwertywarrior]

these down grade attacks seem very simple to fix

just disable the old protocols

 

 

its not SSL/TLS faults here.

[Trik'Stari]

1 hour ago, qwertywarrior said:

these down grade attacks seem very simple to fix

just disable the old protocols

"but....time and effort cost money! and on things that aren't time and effort talking about corporate synergy!"

[Colonel_Gerdauf]

4 hours ago, qwertywarrior said:

these down grade attacks seem very simple to fix

just disable the old protocols

 

 

its not SSL/TLS faults here.

2 hours ago, Trik'Stari said:

"but....time and effort cost money! and on things that aren't time and effort talking about corporate synergy!"

Fixing errors of the higher-level networking is not all that simple in practice, and the both of you know this especially well!

[qwertywarrior]

1 minute ago, Colonel_Gerdauf said:

 

Fixing errors of the higher-level networking is not all that simple in practice, and the both of you know this especially well!

everytime i hear about these downgrade attacks all the writers says is "disable them" - sometimes its a client side issue like disabling RC4 in firefox or server side

[colonel_mortis]

4 hours ago, qwertywarrior said:

these down grade attacks seem very simple to fix

just disable the old protocols

 

 

its not SSL/TLS faults here.

It is a fault in SSL, just in an old version of SSL that has been deprecated. The problem is, there are some (though not very many any more) devices and browsers that only support older protocols - if you wanted to support IE6, you had to enable SSL v3, which is also old and deprecated, and has some known minor security bugs with it; there are some older devices, especially embedded devices, that may not even support that.

The reason why this attack is so bad is that it can be used to decrypt traffic that used TLS1.2, as long as SSLv2 is enabled on the server (even if nobody uses it). It had previously been assumed that having it enabled wasn't a problem as long as nobody used it, but this attack proves that to be wrong. Also, SSLv2 is enabled by default in many servers (such as apache).