DROWN: Breaking TLS using SSLv2
Abstract
We present DROWN, a novel cross-protocol attack that
can decrypt passively collected TLS sessions from upto-date
clients by using a server supporting SSLv2 as a
Bleichenbacher RSA padding oracle. We present two versions
of the attack. The more general form exploits a combination
of thus-far unnoticed protocol flaws in SSLv2
to develop a new and stronger variant of the Bleichenbacher
attack. A typical scenario requires the attacker
to observe 1,000 TLS handshakes, then initiate 40,000
SSLv2 connections and perform 2
50 offline work to decrypt
a 2048-bit RSA TLS ciphertext. (The victim client
never initiates SSLv2 connections.) We implemented the
attack and can decrypt a TLS 1.2 handshake using 2048-
bit RSA in under 8 hours using Amazon EC2, at a cost
of $440. Using Internet-wide scans, we find that 33% of
all HTTPS servers and 22% of those with browser-trusted
certificates are vulnerable to this protocol-level attack,
due to widespread key and certificate reuse.
For an even cheaper attack, we apply our new techniques
together with a newly discovered vulnerability in
OpenSSL that was present in releases from 1998 to early
2015. Given an unpatched SSLv2 server to use as an
oracle, we can decrypt a TLS ciphertext in one minute on
a single CPU—fast enough to enable man-in-the-middle
attacks against modern browsers. 26% of HTTPS servers
are vulnerable to this attack.
We further observe that the QUIC protocol is vulnerable
to a variant of our attack that allows an attacker to
impersonate a server indefinitely after performing as few
as 225 SSLv2 connections and 265 offline work.
We conclude that SSLv2 is not only weak, but actively
harmful to the TLS ecosystem.
can decrypt passively collected TLS sessions from upto-date
clients by using a server supporting SSLv2 as a
Bleichenbacher RSA padding oracle. We present two versions
of the attack. The more general form exploits a combination
of thus-far unnoticed protocol flaws in SSLv2
to develop a new and stronger variant of the Bleichenbacher
attack. A typical scenario requires the attacker
to observe 1,000 TLS handshakes, then initiate 40,000
SSLv2 connections and perform 2
50 offline work to decrypt
a 2048-bit RSA TLS ciphertext. (The victim client
never initiates SSLv2 connections.) We implemented the
attack and can decrypt a TLS 1.2 handshake using 2048-
bit RSA in under 8 hours using Amazon EC2, at a cost
of $440. Using Internet-wide scans, we find that 33% of
all HTTPS servers and 22% of those with browser-trusted
certificates are vulnerable to this protocol-level attack,
due to widespread key and certificate reuse.
For an even cheaper attack, we apply our new techniques
together with a newly discovered vulnerability in
OpenSSL that was present in releases from 1998 to early
2015. Given an unpatched SSLv2 server to use as an
oracle, we can decrypt a TLS ciphertext in one minute on
a single CPU—fast enough to enable man-in-the-middle
attacks against modern browsers. 26% of HTTPS servers
are vulnerable to this attack.
We further observe that the QUIC protocol is vulnerable
to a variant of our attack that allows an attacker to
impersonate a server indefinitely after performing as few
as 225 SSLv2 connections and 265 offline work.
We conclude that SSLv2 is not only weak, but actively
harmful to the TLS ecosystem.
Research Areas
