Today, WhiteHat Security was alerted to an attack that can compromise encrypted network traffic by affecting HTTPS and other services that rely on SSL and TLS, in a matter of hours.
The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) attack is a serious demonstration of practical cryptography. DROWN is interesting in that it demonstrates a key security principle – that the “weakest link is all an attackers needs to break” – in multiple ways.
In this case, the weakest link is the capability of the server to use weak encryption, which ultimately affects users. DROWN does not require the victim to connect with SSLv2, only that the server allows it.
How does this attack work?
- The attacker sniffs the victim’s encrypted traffic (cipher text)
- Attacker then separately uses that information to perform an attack against the server (using SSLv2)
- Attacker now has the secret key they need to decrypt the victim’s traffic.
So, the victim might actually be using a perfectly acceptable method of encryption, but is still vulnerable to spying because the server also allows connections using an outdated method.
We’ve seen this principle demonstrated a number of times in TLS and SSL in what are known as “downgrade attacks”, where hackers can trick the victim’s computer to use a weaker form of encryption, if the server supports it.
Some famous examples are:
- POODLE, and
While DROWN is not a downgrade attack because the user continues using their intended encryption, both DROWN and downgrade attacks rely on the server supporting outdated encryption methods.
All administrators need to test all publicly accessible servers to see if they are vulnerable, including servers for mail, ftp, vpn, etc. All WhiteHat Sentinel Dynamic customers with running scans are being tested now.
DROWN shows us that when it comes to TLS, it is important to retire old protocols and algorithms as soon as you can, to remove the weak links. More information about DROWN can be found on the researcher’s site: http://www.drownattack.com