The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications.
The patching effort follows the discovery of new ways to attack SSL, TLS and DTLS implementations that use cipher-block-chaining (CBC) mode encryption. The new attack methods were developed by researchers Nadhem J. AlFardan and Kenneth G. Paterson at the University of London's Royal Holloway College.
The men published a research paper and a website on Monday with detailed information about their new attacks, which they have dubbed the Lucky Thirteen. They've worked with several TLS library vendors, as well as the TLS Working Group of the IETF (Internet Engineering Task Force), to fix the issue.
The TLS (Transport Layer Security) protocol and its predecessor, the SSL (Secure Sockets Layer) protocol, are a core part of HTTPS (Hypertext Transfer Protocol Secure), the primary method of securing communications on the Web. The DTLS (Datagram Transport Layer Security) protocol is based on TLS and used for encrypting connections between applications that communicate over UDP (User Datagram Protocol).
"OpenSSL, NSS, GnuTLS, yaSSL, PolarSSL, Opera, and BouncyCastle are preparing patches to protect TLS in CBC-mode against our attacks," the researchers said on their website.
The discovery means that end users could theoretically be vulnerable to hackers when they visit HTTPS websites that haven't applied the patches. However, security experts say the vulnerability is very hard to exploit, so there may be little cause for alarm.
"The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations," they said. "The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2 [the most recent versions of the two specifications]. They also apply to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to previous padding oracle attacks. Variant attacks may also apply to non-compliant implementations."
What this means is that almost all libraries used for implementing some of the Internet's most important security protocols are likely to be vulnerable to the Lucky Thirteen attacks.
The good news is that executing these attacks successfully in the real world to decrypt data from TLS connections is difficult because they require specific server-side and client-side conditions. For example, the attacker needs to be very close to the targeted server -- on the same local area network (LAN).
Padding oracle attacks have been known for over a decade. They involve an attacker capturing an encrypted record while in transit, altering certain parts of it, submitting it to the server and monitoring how long it takes for the server to fail the decryption attempt. By adapting his modifications and analyzing the time differences between many decryption attempts, the attacker can eventually recover the original plaintext byte by byte.
The TLS designers attempted to block such attacks in version 1.2 of the TLS specification, by reducing the timing variations to a level they thought would be too low to be exploitable. However, the Lucky Thirteen research from AlFardan and Paterson shows that this assumption was incorrect and that successful padding oracle attacks are still possible.