• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

1998 attack that messes with sites’ secret crypto keys is back in a big way

Status
Not open for further replies.
StefanM

StefanM

Joined
Aug 22, 2010
Messages
773 (0.14/day)
Location
Germany
System Specs
System Name Acer Nitro 5 (AN515-45-R715)
Processor AMD Ryzen 9 5900HX
Motherboard AMD Promontory / Bixby FCH
Cooling Acer Nitro Sense
Memory 32 GB
Video Card(s) AMD Radeon Graphics (Cezanne) / NVIDIA RTX 3080 Laptop GPU
Storage WDC PC SN530 SDBPNPZ
Display(s) BOE CQ NE156QHM-NY3
Software Windows 11 beta channel
A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites' secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn't have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.
Click to expand...
Full story at Ars Technica
 
What's with surfacing of security flaws dating decades back? First Spectre/Meltdown and now this? WTF?
 
Everyone is like "Oh know im going to lose some performace yet again"
 
RejZoR said:
What's with surfacing of security flaws dating decades back? First Spectre/Meltdown and now this? WTF?
Click to expand...

Spectre and Meltdown may be decades old, but they are relatively newly discovered. This has been KNOWN for 19 years, so no excuse.

That said, as bad as this is, someone still needs to tap your line and break the password hash between you and paypal to actually hijack an account, so nothing much meaningful will probably happen from this. It still needs to be patched immediately.
 
R-T-B said:
Spectre and Meltdown may be decades old, but they are relatively newly discovered. This has been KNOWN for 19 years, so no excuse.

That said, as bad as this is, someone still needs to tap your line and break the password hash between you and paypal to actually hijack an account, so nothing much meaningful will probably happen from this. It still needs to be patched immediately.
Click to expand...

But it hasn't been fixed for 19 years: instead, a workaround was implemented.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn't have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.
Click to expand...

Since the problem was never fixed, it was "just waiting" for another way to be taken advantage of, and that way was just found, it seems.
 
HTC said:
But it hasn't been fixed for 19 years: instead, a workaround was implemented.



Since the problem was never fixed, it was "just waiting" for another way to be taken advantage of, and that way was just found, it seems.
Click to expand...
And shows in crystal clarity just what can be done at times to fix issues and also just how fixed they are in reality.
 
HTC said:
But it hasn't been fixed for 19 years: instead, a workaround was implemented.
Click to expand...

A workaround that should be effective if actually implemented. My understanding is the above sites are simply configured badly.
 
R-T-B said:
A workaround that should be effective if actually implemented. My understanding is the above sites are simply configured badly.
Click to expand...

But, if it was indeed fixed, this could not have happen, no?

By leaving the issue unfixed, they exposed themselves to further problems, but the real problem is that it took 19 years for them to notice.
 
HTC said:
But, if it was indeed fixed, this could not have happen, no?

By leaving the issue unfixed, they exposed themselves to further problems, but the real problem is that it took 19 years for them to notice.
Click to expand...

My understanding is it was fixed by simply suppressing errors that could leak data in the default config. This does not prevent idiot admins from overriding the default config to expose those errors again.
 
R-T-B said:
My understanding is it was fixed by simply suppressing errors that could leak data in the default config. This does not prevent idiot admins from overriding the default config to expose those errors again.
Click to expand...

According to Ars Technica's article (see below), they specifically did not fix the problem and instead used workarounds to suppress the issue.

SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.
Click to expand...
 
RejZoR said:
What's with surfacing of security flaws dating decades back? First Spectre/Meltdown and now this? WTF?
Click to expand...

O come on, one reason i stopped watching the TV, news channels make it olook like a break out of crap but in realility it's much more often than they make out.
 
HTC said:
According to Ars Technica's article (see below), they specifically did not fix the problem and instead used workarounds to suppress the issue.
Click to expand...

That is essentially what I just stated. Semantics perhaps, as it's still broken.
 
R-T-B said:
That is essentially what I just stated. Semantics perhaps, as it's still broken.
Click to expand...

A workaround is not a fix, as far as i'm concerned.

To give a somewhat crude analogy:

If a water heater suddenly starts not enabling more heat (more gas usage), you should not "fix it" by reducing the amount of water, thus heating the water more. Instead you should fix the heating problem. This kind of workaround seems to be the thing that happened with this exploit.
 
Fair point.
 
  • Like
Reactions: HTC
Status
Not open for further replies.
Back
Top