Wednesday, 2 March 2016

DROWN - Another Blast From The Past

The last 24 hours has seen a lot of concern raised about the latest, widespread, vulnerability to be disclosed: DROWN.  The extent of the vulnerability is quite staggering with up to 33% of all HTTPS sites potentially vulnerable.  Let that just sink in for a moment: 33%.

The attack relies upon well known weaknesses in SSLversion2 renamed in later version as Transport Layer Security (TLS).  Attacks against SSL of this type were published many years ago (late nineties) by the eponymous Daniel Bleichenbacher (he actually used SSL v3 to exemplify his attacks) and, although these attacks against a particular form of RSA bear his name, it is a form of chosen ciphertext attack.

So far, so technical. Now to discuss the elephant in the room.

Most sites do routine checks and they all find that they have "deprecated" SSLv2.  Try it yourself using something such as SSLLabs Fears about the vulnerability of SSLv2 were primarily due to the fact that it included what was termed an "export" strength for of encryption.  This export encryption was deliberately weaker than other contemporaneous forms of encryption as it was developed during what became known as the first "Crypto Wars" and the US government didn't want strong cryptography being sent overseas.

The previously discovered weaknesses caused people to turn off SSLv2 (and later versions for that matter), so how can it be causing all this fuss today. Well it turns out that it may be dead but its not quite buried.

In one special case, OpenSSL, there was a configuration error made through which SSLv2 could be recalled back to life by an attacker.  Many systems keep old versions of protocols in order to maintain backwards compatibility, but SSL v2 was considered so weak it was supposed to have been removed entirely.  Unfortunately, due to good old human error, it was left in certain version of OpenSSL, which is one of them most widely used SSL implementations.

In cases where this particular OpenSSL wasn't used people could not necessarily sit back and look smugly on as the OpenSL community tried to patch the problem. It turns out that whilst many of the websites are using perfectly safe SSL (or more correctly TLS) implementations, other servers in the corporate estate may still be using older SSL versions. Why? Backwards compatibility, of course.  These could be mail servers, instant messaging or similar.

Because many organisations use the same private key across servers it means that the attacker can use the weakest point (still using SSL v2) and thereby intercept communications with the apparently secure servers.  The attack appears to be simple to do and consequently millions of websites that think they are using secure forms of TLS are exposed.

You can check if you site is vulnerable here This looks to see (so far as it is able) if the private key is being reused across servers where one is still using SSL v2.

This whole episode has arisen because a form of encryption was deliberately weakened and it has survived (albeit hidden) in order to preserve backwards compatibility.  Sadly it is not the first time this happened.  Nor the second for that matter. This is the third such episode within a year. It probably wont be the last.

I hope that we are not doomed to repeat the mistakes demonstrated by these events, and that we learn:
  1. Don't deliberately weaken encryption as the unintended consequences will reverberate for decades.
  2. Don't keep old software in your products for any longer than is absolutely necessary.