Tag Archives: openssl

DROWN

Another day, another SSL attack. A new, low-cost attack has been found, that decrypts sensitive communications in a matter of hours and in some cases almost immediately. I hereby name you DROWN! And CVE-2016-0800.

The attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through SSLv2, a TLS precursor that was retired almost two decades ago because of crippling weaknesses. The vulnerability allows an attacker to decrypt an intercepted TLS connection by repeatedly using SSLv2 to make connections to a server.

The fact is though, that many of the listed SSL-based attacks over the last 2 years ( and yes there have been quite a few ), are not inherently serious, or do not have a large attack surface. Many require a particular ( and unusual ) set of circumstances and dependencies that make their effectiveness, well less effective.

And DROWN is not dissimilar. I requires SSLv2 to be enabled on the web server. For those in the know, and any sysadmin worth their salt, anything below TLSv1 ( at the very least ) should have been switched off on your web servers, years ago already. Known issues with these lesser versions of encryption have absolutely mandated their non-use. But unfortunately, the ease with which a web server can be put online is not directly comparable to the technical skill of those putting these servers online. So you can bet there are probably some misconfigured servers out there.

But the attack surface for DROWN should be relatively small and those who are effected, will probably ( and hopefully ) not be providing anything of value on their sites.

There’s a lesson to be learnt here though: just because something may seem simple to do on the surface, does not mean it is in reality. There’s no replacement for skill and experience.

Heartbleed finally results in some resources for OpenSSL

Heartbleed continues to cause enormous issues around the globe and is being actively attacked. Saying that, the bulk of solutions and systems out there using OpenSSL have been patched by now so the risk surface is growing smaller and smaller by the day.

OpenSSL President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code. That is paltry compared to many other open source projects and one can easily understand that with such limited resources, it would be very difficult to create a high quality product.

Everyone seems to have woken up now and the Linux Foundation is arranging a 3 yr initiative worth about $4 million to help under-funded open source projects, the first one being OpenSSL.

So hopefully we’re going to be seeing a better staffed OpenSSL project with higher quality code rising out of the ashes soon.

It’s interesting to see that Theo de Raadt’s ( not someone I’ve ever looked up to ) OpenBSD project is forking the code arguing that OpenSSL is full of “discarded leftovers” and unreadable code. Easy to say when you’ve got a big group behind you. I wonder what Theo would’ve said if he’d been the only developer?