Brian Jackson - Fotolia

Drown attack sinks SSL security

Researchers publish paper outlining how an attacker could crack the TLS security protocol to gain access to millions of secure websites

Security researchers from Israel, Germany and the US have published a paper describing how a key internet protocol is being undermined by SSLv2, leaving millions of websites open to attack.

The cross-protocol attack, known as Drown, performs live attacks on TLS, one of the main protocols used for security on the internet.

According to the researchers, the attack can be completed on a single core on commodity hardware in less than a minute, without GPUs or distributed computing, and is limited primarily by how quickly the server can complete handshakes.

It is fast enough to perform man-in-the-middle attacks on live TLS sessions before the handshake times out, even allowing the attacker to target connections to servers that prefer non-RSA cipher suites and downgrade a modern TLS client to RSA key exchange, the researchers said.

According to the researchers, as many as one-third of HTTPS servers are vulnerable to the attack.

They warned that the use of SSLv2 is not only weak, but actively harmful to the TLS ecosystem.

To decrypt one TLS session, an attacker would need to capture about 1,000 TLS sessions passively using RSA key exchange, where secret keys are exchanged securely online by encrypting the secret key with the intended recipient’s public key.

The researchers used RSA key exchange to make 40,000 SSLv2 connections to the victim server and perform 250 symmetric encryption operations.

Read more about SSL

“We successfully carried out this attack using a heavily optimised GPU implementation and were able to decrypt a 2048-bit RSA ciphertext in less than 18 hours on a GPU cluster and less than eight hours using the Amazon EC2 service,” they said.

An attacker would passively eavesdrop on traffic between the client and server and record RSA-based TLS traffic, and could expect to decrypt one out of 1,000 intercepted TLS connections, the researchers said.

“This is a devastating threat in many scenarios,” they said. “A decrypted TLS connection might reveal a client’s HTTP cookie or plaintext password, and an attacker would only need to successfully decrypt a single ciphertext to compromise the client’s account.”

Collecting this many connections might involve intercepting traffic for a long time or tricking the user into visiting a website that quickly makes many connections to another site in the background, the researchers said.

They recommended server administrators to check that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.

Read more on Privacy and data protection