- SSL/TLS Útoky -
Utopit je vážná chyba, která ovlivňuje HTTPS a další služby, které spoléhají na SSL a TLS, některé ze základních kryptografických protokolů pro zabezpečení Internetu. Tyto protokoly umožňují každému na internetu procházet web, používat e-mail, nakupování on-line, a posílat okamžité zprávy bez třetím stranám je schopný číst komunikaci.
MITM vskutku staví útočníka do pozice muže uprostřed. Podstatou je odposlouchávat komunikaci přesměrováním paketů od klienta a naopak. Útočník pak dělá prostředníka mezi klientem a serverem, což mu může dovolit číst a měnit data.
Útočník klientovi vnutí (injektuje) kus JavaScriptového kódu, díky němuž je schopen pomocí packet snifferu zachytit a následně dešifrovat zabezpečené soubory cookie, které webová aplikace používá k autentifikaci uživatele. Využívá se zde metody Cipher block chaining proti šifrovacímu algoritmu AES, kde jsou data z dříve dešifrovaného bloku použita pro zašifrování dalšího.
Tento útok byl vyvinut ve stejných dílnách jako předchozí BEAST, tentokrát je však aplikovatelný na jakoukoli verzi TLS. Je založen na zneužití kompresních mechanismů použitých v protokolech SSL, TLS a novém SPDY.
TLS interception involves capturing obtaining the plain text of an encrypted transport (usually "HTTPS" using TLS (Transport Layer Security) previously/commonly known as SSL (Secure Sockets Layer) ) either by collecting the encrypted stream and decoding it at a later stage, or more conventionally by posing as the sender (to the reciever) and receiver (to the sender). Security researchers refer to this as a man-in-the-middle attack (MITM) when applied without user knowledge. Vendors that supply equipment for this purpose often refer to the capacity as SSL inspection.
Protection of Internet communication is crucial in today's hyperconnected world. The industry standard for encrypting private and sensitive communication data over potentially adversarial controlled network cables and radio signals is TLS. ESSE, the security team of RISE GmbH, discovered a new vulnerability in the ageing TLS protocol. The newly discovered weakness allows to open supposedly securely encrypted TLS communication to full-blown Man-in-the-Middle (MitM) attacks: An attacker can impersonate trusted servers without being in possession of the servers' secret keys, and can so eavesdrop on the unencrypted messages, snoop on passwords, love letters, payment data, and modify personal, private communication and transactions at will.
Renegotiation attack
A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS. For example, it allows an attacker who can hijack an https connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.This extension has become a proposed standard and has been assigned the number RFC 5746. The RFC has been implemented by several libraries.
Protocol downgrade attacks
A protocol downgrade attacks (also called a version rollback attack) tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure. Previous modifications to the original protocols, like False Start (adopted and enabled by Google Chrome) or Snap Start, reportedly introduced limited TLS protocol downgrade attacks or allowed modifications to the cipher suite list sent by the client to the server. In doing so, an attacker might succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite negotiated to use either a weaker symmetric encryption algorithm or a weaker key exchange). A paper presented at an Association for Computing Machinery (ACM) conference on computer and communications security in 2012 demonstrated that the False Start extension was at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.
Cross-protocol attacks: DROWN
The DROWN attack is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. As of March 2016, more than 81,000 of the top 1 million most popular Web sites are among the TLS protected web sites that are vulnerable to the DROWN attack.
Timing attacks on padding
Earlier TLS versions were vulnerable against the padding oracle attack discovered in 2002. A novel variant, called the Lucky Thirteen attack, was published in 2013. Some experts also recommended avoiding Triple-DES CBC. Since the last supported ciphers developed to support any program using Windows XP's SSL/TLS library like Internet Explorer on Windows XP are RC4 and Triple-DES, and since RC4 is now deprecated (see discussion of RC4 attacks), this makes it difficult to support any version of SSL for any program using this library on XP. A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as RFC 7366. The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable
RC4 attacks
Despite the existence of attacks on RC4 that broke its security, cipher suites in SSL and TLS that were based on RC4 were still considered secure prior to 2013 because the way in which they were used in SSL and TLS. In 2011, the RC4 suite was actually recommended as a work around for the BEAST attack. New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST. An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table to recover parts of the plaintext with a large number of TLS encryptions.An attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013 and later described as "feasible" in the accompanying presentation at a USENIX Security Symposium in August 2013. In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.
Truncation attack
A TLS (logout) truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted TCP FIN message (no more data from sender) to close the connection. The server therefore doesn't receive the logout request and is unaware of the abnormal termination. Published in July 2013, the attack causes web services such as Gmail and Hotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot). This vulnerability also requires access to the victim's computer. Another possibility is when using FTP the data connection can have a false FIN in the data stream, and if the protocol rules for exchanging close_notify alerts is not adhered to a file can be truncated.
Downgrade attacks: FREAK attack and Logjam attack
Encryption downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, a man-in-the-middle attack called FREAK was discovered affecting the OpenSSL stack, the default Android web browser, and some Safari browsers. The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys. Logjam is a security exploit discovered in May 2015 that exploits the option of using legacy "export-grade" 512-bit Diffie–Hellman groups dating back to the 1990s. It forces susceptible servers to downgrade to cryptographically weak 512 bit Diffie-Hellman groups. An attacker can then deduce the keys the client and server determine using the Diffie–Hellman key exchange.
Unholy PAC attack
This attack, discovered in mid-2016, exploits weaknesses in the Web Proxy Autodiscovery Protocol (WPAD) to expose the URL that a web user is attempting to reach via a TLS-enabled web link. Disclosure of a URL can violate a user's privacy, not because of the web site accessed, but also because URLs are sometimes used to authenticate users. Document sharing services, such as those offered by Google and Dropbox, also work by sending a user a security token that's included in the URL. An attacker who obtains such URLs may be able to gain full access to a victim's account or data. The exploit works against almost all browsers and operating systems.
Sweet32 attack
The Sweet32 attack breaks all 64-bit block ciphers used in CBC mode as used in TLS by exploiting a birthday attack and either a man-in-the-middle attack or injection of a malicious JavaScript into a web page. The purpose of the man-in-the-middle attack or the JavaScript injection is to allow the attacker to capture enough traffic to mount a birthday attack.