I. Understanding TLS Vulnerabilities
Hackers can exploit some TLS flaws remotely, but practical exploitation of many requires network access to compromise ciphertext and data injection. Since 2011, there have been a number of flaws within SSL and TLS such as BEAST, CRIME, BREACH, and POODLE. Exploitation of these vulnerabilities often requires the following:
- The victim browser to execute a malicious agent (e.g., JavaScript)
- Network access to monitor the ciphertext generated by the victim
- A communication channel to the agent to modify the plaintext
II. Exploitation Flaws
Defects affecting SSL and TLS fall into two categories:
- Protocol weaknesses (for example: SSL 3.0, TLS 1.0)
- Vulnerabilities within particular implementations (e.g, OpenSSL 1.0.1g HeartBleed)
Let’s take a look at the weaknesses in SSL and TLS protocol
1. DROWN (CVE-2016-0800)
An SSL 2.0 padding oracle attack resulting in RSA private key exposure.
2. LOGJAM (CVE-2015-4000)
System supporting DHE and group sizes less than 1,024 bits are vulnerable to MITM, by which a weak group is forced, and encryption attacked to reveal plaintext content.
3. POODLE (CVE-2014-3566)
SSL 3.0 using CBC (Cipher Block Chaining) mode is vulnerable to a padding oracle attack. Exploitation requires network access, along with JavaScript run by the victim browser to generate traffic (performing a chosen-plaintext and chosen-boundary attack). A padding oracle within the CBC decryption mechanism is used to reveal a secret (session token) upon modifying plaintext via the JavaScript agent.
4. BEAST (CVE-2011-3389)
TLS 1.0 generates predictable IV values when using CBC mode ciphers. It is possible to deduce
secrets through undertaking a blockwise chosen-boundary attack upon injecting an agent into a victim’s browser and monitoring the ciphertext.
5. CRIME (CVE-2012-4929)
Servers running TLS 1.2 and prior that support compression are vulnerable to attack via CRIME.
Practical exploitation requires network access, along with JavaScript run by the victim browser to generate ciphertext.
6. BREACH (CVE-2013-3587)
Web applications that use HTTP compression and reflect static secrets (e.g., session tokens) to clients via HTML can be targeted through BREACH. The exploitation is similar to CRIME
7. Insecure renegotiation (CVE-2009-3555)
TLS endpoints might support insecure renegotiation, making it possible for an attacker with network access to prefix legitimate session traffic from a client to server with his own (e.g., a malicious HTTP request). Depending on the configuration of the application, this can result in HTTPS to HTTP downgrade or malicious commands being processed.
III. TLS Security Flaws Mitigation
The following table describes some of the common TLS vulnerabilities and its associated mitigation.
| Attacks | Mitigation |
| Logjam | Enforce DH group sizes of 1,024 bits and above |
| POODLE | Disable support for SSL 3.0 |
| BEAST | Enforce TLS 1.1 and higher |
| CRIME | Disable TLS compression |
| BREACH and TIME | Disable HTTP compression |
| Lucky 13 | Disable CBC ciphers if your server implementation is flawed |
| RC4 byte biases | Disable support for RC4 cipher suites |
| FREAK | Disable support for weak export-grade ciphers |
| Insecure renegotiation Insecure fallback DH parameter tampering Implementation flaws | Upgrade both server and client software to current |
TLS Security (Part I), SECURITY FEATURES on MacOSX (Part I), Introduction to IDS and IPS, Data Security Part I
