The ROBOT Attack

For the more technical/geeky chat subjects!

Moderator: satrow

dark_moon

The ROBOT Attack

Unread postby dark_moon » Thu, 14 Dec 2017, 21:53

ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.

https://robotattack.org/

Result for Pale Moon sites:
forum.palemoon.png
https://robotattack.org/check/?h=forum.palemoon.org
palemoon.org.png
https://robotattack.org/check/?h=palemoon.org
www.palemoon.org.png
https://robotattack.org/check/?h=www.palemoon.org


So the Pale Moon website have perfect protection, but not the forum. Fix:
Disable RSA encryption!

ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.

By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.

Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22406
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: The ROBOT Attack

Unread postby Moonchild » Fri, 15 Dec 2017, 07:01

What part of "not vulnerable" isn't clear? OpenSSL (and therefore nginx) isn't affected.
Also, RSA isn't encryption, it's the key exchange to initiate encryption; those are 2 entirely different things.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne


Return to “Technical chat”

Who is online

Users browsing this forum: No registered users and 3 guests