The ROBOT Attack

General discussion and chat (archived)
dark_moon

The ROBOT Attack

Unread post by dark_moon » 2017-12-14, 21:53

ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.

https://robotattack.org/

Result for Pale Moon sites:
https://robotattack.org/check/?h=forum.palemoon.org
https://robotattack.org/check/?h=forum.palemoon.org
https://robotattack.org/check/?h=palemoon.org
https://robotattack.org/check/?h=palemoon.org
https://robotattack.org/check/?h=www.palemoon.org
https://robotattack.org/check/?h=www.palemoon.org
So the Pale Moon website have perfect protection, but not the forum. Fix:
Disable RSA encryption!

ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.

By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.

Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: The ROBOT Attack

Unread post by Moonchild » 2017-12-15, 07:01

What part of "not vulnerable" isn't clear? OpenSSL (and therefore nginx) isn't affected.
Also, RSA isn't encryption, it's the key exchange to initiate encryption; those are 2 entirely different things.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked