[Cryptography] DROWN attack on SSLv2 enabled servers

John-Mark Gurney jmg at funkthat.com
Sun Mar 6 18:25:50 EST 2016


Viktor Dukhovni wrote this message on Sun, Mar 06, 2016 at 17:49 -0500:
> > On Mar 6, 2016, at 3:29 PM, ianG <iang at iang.org> wrote:
> > 
> > Instead, they've preferred to travel with the false sirens of algorithm agility.
> 
> Democracy is the worst form of government, except for all the others.
> 
> In fact algorithm agility (and protocol negotiation) make it possible
> to move on.  OpenSSL 1.1.0 (beta slated for later this week) moved on
> before DROWN.  The 1.0.x stable branches remained backwards compatible
> with SSLv2 too long, this has now been addressed.

Except when it doesn't...

Protocol negotiation is STILL broken in TLS after years of known
attacks and multiple versions of TLS...  TLS client/servers don't have
a clean way to ensure that the otherside is not being down graded by
a MitM attack...

People are hacking the civer suite value to be the protocol downgrade
prevention (less than a year ago):
https://tools.ietf.org/html/rfc7507

  "The fallback SCSV defined in this document is not a suitable
   substitute for proper TLS version negotiation.  TLS implementations
   need to properly handle TLS version negotiation and extensibility
   mechanisms to avoid the security issues and connection delays
   associated with fallback retries."

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the cryptography mailing list