Security researchers in London say they have discovered a way to successfully attack SSL and TLS encryption. The attack, known as “Lucky Thirteen,” puts many Internet services at risk.
The Register’s John Leyden reported, “Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites. Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim they can crack TLS-encrypted traffic in a man-in-the-middle attack.”
Ars Technica’s Dan Goodin explained, “The discovery is significant because in many cases it makes it possible for attackers to completely subvert the protection provided by the secure sockets layer and transport layer protocols. Together, SSL, TLS, and a close TLS relative known as Datagram Transport Layer Security are the sole cryptographic means for websites to prove their authenticity and to encrypt data as it travels between end users and Web servers. The so-called ‘Lucky Thirteen’ attacks devised by computer scientists to exploit the weaknesses work against virtually all open-source TLS implementations, and possibly implementations supported by Apple and Cisco Systems as well. (Microsoft told the researchers it has determined its software isn’t susceptible.)”
Wired’s Ian Steadman noted, “And while the conditions under which the TLS can be attacked are quite specific, Paterson and AlFardan concede that ‘it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet to be discovered.’ The problem with TLS as it stands, the researchers say, isn’t a bug so much as an unnoticed flaw in the “specification” of TLS versions 1.1 or 1.2 (as well as Datagram TLS, another variant, versions 1.0 and 1.2). Normally, even if data is sent over a connection with TLS encryption, someone performing a man-in-the-middle attack wouldn’t be an issue — they can’t decrypt what was sent without the right key.”
According to InfoWorld’s Lucian Constantin, “The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications. The patching effort follows the discovery of new ways to attack SSL, TLS and DTLS implementations that use cipher-block-chaining (CBC) mode encryption.”