Tuesday, July 27, 2021

Researchers Successfully Attack SSL, TLS

Security researchers in London say they have discovered a way to successfully attack SSL and TLS encryption. The attack, known as “Lucky Thirteen,” puts many Internet services at risk.

The Register’s John Leyden reported, “Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites. Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim they can crack TLS-encrypted traffic in a man-in-the-middle attack.”

Ars Technica’s Dan Goodin explained, “The discovery is significant because in many cases it makes it possible for attackers to completely subvert the protection provided by the secure sockets layer and transport layer protocols. Together, SSL, TLS, and a close TLS relative known as Datagram Transport Layer Security are the sole cryptographic means for websites to prove their authenticity and to encrypt data as it travels between end users and Web servers. The so-called ‘Lucky Thirteen’ attacks devised by computer scientists to exploit the weaknesses work against virtually all open-source TLS implementations, and possibly implementations supported by Apple and Cisco Systems as well. (Microsoft told the researchers it has determined its software isn’t susceptible.)”

Wired’s Ian Steadman noted, “And while the conditions under which the TLS can be attacked are quite specific, Paterson and AlFardan concede that ‘it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet to be discovered.’ The problem with TLS as it stands, the researchers say, isn’t a bug so much as an unnoticed flaw in the “specification” of TLS versions 1.1 or 1.2 (as well as Datagram TLS, another variant, versions 1.0 and 1.2). Normally, even if data is sent over a connection with TLS encryption, someone performing a man-in-the-middle attack wouldn’t be an issue — they can’t decrypt what was sent without the right key.”

According to InfoWorld’s Lucian Constantin, “The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications. The patching effort follows the discovery of new ways to attack SSL, TLS and DTLS implementations that use cipher-block-chaining (CBC) mode encryption.”

Similar articles

Latest Articles

Data Science Market Trends...

When famed mathematician John W. Tukey postulated that advanced computing would have a profound effect on data analysis, he probably didn’t imagine the full...

Data Recovery Market Trends...

Data recovery is more important than ever in this era of constant cyber attacks and ransomware. The Verizon Data Breach Investigations Report (DBIR) looked...

Trends in Data Visualization

In a world of big data, visualization is becoming a key skill set that every business must master.  Digital technology has transformed the way businesses...

Microsoft Data Portfolio Review

With a host of analytics services for almost any situation, Microsoft Azure’s data services have got just about every base covered.   In the world...