Cryptography

SSL/TLS threats

Medium
25 min

TLS is a good protocol but, like all cryptography, it is important to use it correctly. Let's now go through some threats in situations where it is not used correctly.

BEAST (Browser Exploit Against SSL/TLS)

The BEAST attack targets the implementation of the SSL 3.0/TLS 1.0 protocol, especially its CBC encryption mode. The attack allows criminals to reveal information, such as cookies, that are sent in encrypted form. This enables session hijacking and stealing other sensitive information. To defend against the attack, it is recommended to update to newer TLS versions that fix this vulnerability.

POODLE (Padding Oracle On Downgraded Legacy Encryption)

The POODLE attack reveals that an attacker can force a web browser and server to use the outdated SSL 3.0 protocol, which contains vulnerabilities in padding handling. After that, the attacker can decrypt encrypted data, such as cookies. To protect against POODLE, it is important to disable SSL 3.0 support in both client and server applications.

Heartbleed

Heartbleed was a serious vulnerability in the OpenSSL library that allowed leaking of memory areas, including private keys and user data. It was not a weakness in the SSL/TLS protocol itself, but in its commonly used implementation. Heartbleed demonstrated the critical importance of updating software components and actively monitoring security updates.

Man-in-the-Middle (MitM) Attacks

Man-in-the-middle attacks are one of the most serious threats to SSL/TLS connections. In this scenario, an attacker is able to secretly intercept and potentially modify data between two parties. Although TLS includes mechanisms to prevent such attacks, such as authentication during key exchange, incorrect implementation can still leave the connection vulnerable.

Downgrade Attacks

In a downgrade attack, the attacker forces the communicating parties to use a weaker encryption protocol or method, making it easier to break the encryption. This is possible if the system allows the use of older, vulnerable protocols. Enforcing stronger protocols, such as TLS 1.2 and 1.3, and removing the use of older protocols help combat this threat.

Importance of Confidentiality

Perfect Forward Secrecy (PFS) is a method that prevents encrypted traffic from being decrypted afterwards, even if the attacker later obtains the server's private key. This is achieved by using a unique key exchange method for each session, which does not depend on the server's long-term private key. The use of PFS is crucial for the long-term security of TLS connections.

Certificate misuse

Incorrectly issued or stolen certificates can lead to users being directed to malicious websites. Lack of certificate validation and trust issues with the Certificate Authority (CA) are key risks.

Disclosure of encryption key

If an attacker manages to get hold of encryption keys, they can decrypt all encrypted traffic (if there is no forward secrecy). Stealing the key can happen in many different ways, including server breaches.

Packet retransmission and manipulation

Although TLS protects the integrity of data, in certain circumstances an attacker may attempt replay attacks or manipulate the order of messages causing disruptions in communication.

Quantum Computers

Quantum computing threatens the long-term security of encryption algorithms used by TLS. In particular, public key encryption methods, such as RSA and ECC, may be vulnerable to quantum attacks.

Exercise

In this exercise, we find a target with a TLS-secured HTTPS service. However, this service uses TLS settings that do not support forward secrecy and allow decryption of secure traffic if the server's private key is exposed. We find two different files from the service.

Start the task by launching the lab below. You can repeat the steps afterwards.

Exercises

Flag

Find the flag from the lab environment and enter it below.

  • /tls-traffic.pcap, which contains encrypted HTTPS traffic received by the service.
  • /private.key, which is the private key required for decryption.

From the view "Internal network targets", check your IP address and download with a command like wget from the server tls-traffic.pcap and private.key.

Then open the Wireshark software (from the menu) and inside Wireshark open the recently downloaded pcap file.

Currently we only see protected data that is not readable. Therefore, we need to use the private key downloaded earlier to decrypt the TLS traffic into readable format. Select Edit -> Preferences and then Protocols -> TLS. Select RSA keys list edit.

Let's set the following settings and provide a private key file.

When these are ready, press OK in both settings. Wireshark should now decrypt TLS traffic and you will find the flag in this traffic.

How could this vulnerability be fixed?

In order to prevent stored SSL/TLS traffic from being decrypted afterwards, even if an attacker gains access to the server's private key, it is essential to choose a cipher suite that supports Perfect Forward Secrecy (PFS). Forward secrecy ensures that a unique session key is created for each session, which is not dependent on the server's long-term private key. This means that even if the private key is compromised, previously encrypted traffic cannot be decrypted using it.

In order to ensure confidentiality and to make the connection as secure as possible, it is recommended to use a modern cipher suite that uses elliptic curves (ECC) and/or Diffie-Hellman key exchange method (DH or ECDHE). For example:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.