Over the last few years a multitude of servers have been affected by SSL/TLS encryption breaking attacks. First off, SSL stands for Secure Socket Layer. SSL is the standard security technology for establishing an encrypted link between a browser and a web server. Transport Layer Security or TLS is a protocol that guarantees privacy between applications and their users over the Internet.
Although there have been multiple instances of SSL/TLS attacks, the two examples I want to briefly discuss are FREAK and a newly discovered attack called DROWN. (I did not make these names up by the way) With the DROWN vulnerability researchers have stated that under some circumstances, an attacker can also impersonate a secure website (and you thought Elvis impersonations were scary) in order to intercept or change the content the user sees on the screen.
What does this mean to me?
Whenever you log into a site such as Amazon, Gmail or any other site that holds important data and information, you typically are logging into a secure site. TIP: Always look for the web address prefixed by “HTTPS”. The “S” in HTTPS stands for secure. If a web server for a particular site does not get the proper patches for SSL based attacks like DROWN, any information visitors submit during online transactions can be decrypted and obtained as it travels over the internet. Things such as passwords, addresses and credit card information can be accessed by an attacker a.k.a. the “Man-In-The-Middle” using this exploit.
One example of a previous SSL attack
The FREAK (Factoring RSA Export Keys) attack was announced on march 3rd 2015. The FREAK attack allowed attackers to easily intercept HTTPS connections between vulnerable clients and servers forcing them to use weakened encryption during the session. With this vulnerability exploited, the attacker could break the encryption in order to steal or even manipulate sensitive data. FREAK has since then become remediated as server administrators patched their systems upon hearing about this vulnerability. Vendors also advised them to disable support for all known insecure ciphers.
The Current SSL attack
The DROWN attack or Decrypting RSA with Obsolete and Weakened eNcryption, is a vulnerability that affects HTTPS and other services that rely on SSL and TLS. Websites, e-commerce sites, mail servers (i.e. Yahoo/ Gmail), and other TLS based sites and services are currently at risk for the DROWN attack. This serious vulnerability currently affects more than 11 Million websites/ e-mail services that are protected to a degree by a depreciated TLS protocol known as Secure Sockets Layer (SSLv2). SSLv2 was founded and became functional in the 1990s.
Based on what this attack can do, it is definitely time to disable this version of SSL. The illustrations below display common traffic between a client (person sitting at their computer) and server (the website). During the initial TLS connection between the client and server, public keys and private keys are exchanged and authenticated for encryption purposes.
What makes this a serious security risk is that any server that simply supports SSLv2 (SSLv2 doesn’t have to be active) is a threat to modern servers and clients. This is demonstrated in the illustration above (illustration credits: Drownattack). The Man-In-The-Middle can launch SSLv2 probes in an attempt to decrypt the traffic and read the information transferred from the client to server.
Earlier today I used the DROWN website checker to see which sites were vulnerable to this attack. Some of the sites I came across are well known sports sites and e-commerce sites. As part of my research I plan run a few website queries to see which sites are vulnerable to DROWN, contact the site administrators / server administrators of 10 or so websites, give them my findings/results provided by test.drownattack.com and follow up with the site admins to see if they actually fix these vulnerabilities with the appropriate software security patches. This should be fun.