A new vulnerability has been discovered by security researchers that could be used to allow eavesdroppers to spy on the traffic between users and as many as one-in-three HTTPS servers. The problem arises due to the fact that many HTTP servers still support the outdated and now-insecure Secure Sockets Layer (SSL) version 2 protocol. SSLv3 succeeded SSLv2 back in 1996, however, it was only officially deprecated by 2011, which has resulted in its continued presence in servers. Even SSLv3 has since been replaced with newer, more secure Transport Layer Security (TLS) versions 1.0, 1.1 and 1.2.
While SSLv2 is totally unsuitable for encrypted communications, it wasn’t until now that security researchers have thought that its continued support in servers would pose a security threat as most modern clients such as web browsers and others capable of TLS communications no longer support it. A newly released paper has found this assumption to be false by showing that a server supporting SSLv2 can be exploited by attackers to decrypt any traffic from its clients, even those using the most up-to-date TLS protocols.
The attack, which has come to be known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), has a number of prerequisites, but unlike some vulnerabilities, they remain practical to execute. Firstly, the server must either support SSLv2 or share its private key with another server that does, which is common in many organizations that share a key across both web and email servers. With this satisfied, the attack must then monitor several hundred encrypted communications between the victim and the server, whether by simply observing over a long period or using malicious code to force numerous connections to be repeatedly made with the sever. Even the requirement that the handshake must use the RSA key exchange algorithm is simple, as it is the most commonly used key exchange in TLS implementations.
Armed with this information, the attacker then connects to the server via SSLv2 multiple times using specially crafted handshake messages that contain modifications of the RSA ciphertext captured during the victim’s TLS connections. These connections will cause the server to leak further information regarding the secret keys used during the TLS connections despite failing. It was calculated that even in a worst-case scenario, an attacker would need to erform roughly 40,000 probe connections and 2^50 computations to decrypt one out of 900 observed TLS connections. It was estimated by the researchers that running the calculations for the attack on Amazon’s EC2 cloud computing platform would cost around $440. The attack is even significantly easier if the server is running a version of OpenSSL library that contains two known flaws.
As many as 17% of all HTTPS servers are directly vulnerable to the attack, with 25 percent of SMTP with STARTTLS servers, 20 percent of POP3S and IMAPS servers and 8 percent of SMTPS also vulnerable. Even amongst HTTPS servers that did not directly support SSLv2, those that shared their private keys with other web servers supporting SSLv2 raised the overall percentage of vulnerable servers to 33%. Thankfully, while DROWN attacks may expose critical information such as login or banking credentials, the attack would have to be executed from scratch for every user and the server’s long-term private keys are not exposed, only the keys negotiated for specific sessions.
Server administrators have been urged to ensure that SSLv2 has been disabled on their servers, including any sharing private keys. Instructions on how to do so have been provided by the researchers for the most common web servers and TLS libraries. For those unsure whether their server is vulnerable, even with SSLv2 disable, a tool has been released to determine is a server is vulnerable and affected by key reuse.
It is scary to think that some of the websites vulnerable to this issue include big names used in the everyday lives of many such as yahoo.com, weibo.com, buzzfeed.com, weather.com, flickr.com, and dailymotion.com.