Published: 04 July 2023    Last Updated: 05 July 2023

I recently wrote a quick start guide to hardening SSL/TLS configurations, to help people to better understand all the different aspects of securing their transport layer security configuration – however, during that article I skipped over a big section: SSL Certificates.

In this article, we’ll focus on the certificates themselves and the impact of common certificate issues. It’s also worth noting that whilst they’re commonly called “SSL Certificates”, we learned in the last article that of course all version of SSL should be disabled, since we know SSL was deprecated in 2015 and is “comprehensively broken”.

Therefore, if you prefer the term “TLS Certificate”, or even the technically more accurate “X.509 Certificate” then that’s great – but you’ll rarely see the latter term used outside of technical documentation, it seems “SSL Certificate” has stuck as the common term.

Published: 03 July 2023    Last Updated: 05 July 2023

Secure Sockets Layer (SSL) was a protocol designed to protect network traffic in transit, however it was superseded by Transport Layer Security (TLS) in 1999. These protocols are well-known for protecting web traffic with HTTPS. However, they can be used to protect lots of different kinds of traffic, for example they can also be used to protect email traffic, instant messaging, and more.

Published: 27 October 2022    Last Updated: 03 November 2022

Sweet32 describes a birthday attack on 64-bit block ciphers. This attack has been demonstrated against both 3DES and Blowfish, against both VPNs as well as HTTPS traffic. This attack allows an attacker who can perform an interception attack to decrypt small amounts of ciphertext, such as session tokens and other sensitive cookie values.

Published: 25 October 2022    Last Updated: 03 November 2022

Padding Oracle On Downgraded Legacy Encryption (POODLE) is an attack against SSLv3.0. It exploits two aspects of SSLv3.0. The first aspect involves an attacker performing an interception attack and modify network traffic between a client and server, downgrading the connection to SSLv3.0. The second aspect is a padding oracle issue with block ciphers in cipher-block chaining mode in SSLv3.0 which allows an attacker to decrypt small amounts of ciphertext within messages, such as session tokens and confidential cookie values.

Published: 25 October 2022    Last Updated: 03 November 2022

The use of Cipher Block Chaining (CBC) mode ciphers is “discouraged”. This term is used as these cipher suites have not been formally deprecated but have effectively been superseded. For example, later version of Transport Layer Security support more secure cipher mode options such as Galois/Counter Mode (GCM) ciphers. Additionally, CBC-mode ciphers have had a series of vulnerabilities such as Lucky13, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE.

Published: 25 October 2022    Last Updated: 05 July 2023

Lucky 13 is a padding oracle vulnerability against CBC-mode ciphers in TLS that utilises a timing side-channel. This issue is due to a flaw within the SSL/TLS specification and is not implementation specific, however implementations may be able to harden against exploitation of this issue and prevent exploitation by removing the timing side-channel.

Published: 21 October 2022    Last Updated: 05 July 2023

BEAST is an attack that exploits several weaknesses within Transport Layer Security (TLS) 1.0 and older SSL protocols when using a CBC-mode cipher. The flaw is not strictly within the Transport Layer Security protocol itself, but is instead a known issue with Cipher Block Chaining (CBC).

Published: 21 October 2022    Last Updated: 03 November 2022

Compression Ration Info-leak Made Easy (CRIME) is a vulnerability in the compression used in Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It also affects Google’s HTTP-like protocol SPDY. It requires an attacker to perform an interception attack but if successful could allow for the decryption of session tokens and other sensitive cookie values. The attack was demonstrated as practical in 2012.

Published: 21 October 2022    Last Updated: 05 July 2023

Decrypting RSA with Obsolete and Weakened Encryption (DROWN) is a vulnerability in servers that support Secure Sockets Layer (SSL) version 2.0. It is a form of cross-platform Bleichenbacher padding oracle attack and would allow a threat actor that is able to perform an interception attack to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key.

Published: 21 October 2022    Last Updated: 05 July 2023

Return of Bleichenbacher’s Oracle Threat (ROBOT) is a padding oracle vulnerability that allows a threat actor to illegitimately perform RSA decryption and signing operations with the private key of a TLS server. The attack would allow an attacker to intercept communications and later decrypt them.

Published: 21 October 2022    Last Updated: 03 November 2022

Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH) is a vulnerability similar in nature to CRIME, but where CRIME affected TLS/SPDY compression, BREACH affects HTTP compression. Where an application supports HTTP compression, reflects user-input within response bodies, and includes confidential information in that body – such as a CRSF token, it may be affected by BREACH. This attack was demonstrated as practical in 2013.

Published: 21 October 2022    Last Updated: 03 November 2022

An attack against RC4 was demonstrated in 2015. This attack affects the use of RC4 in several protocols, including within Transport Layer Security (TLS) used by web browsers and web applications but also within WPA-TKIP used by wireless networks. This weakness in RC4 when applied to TLS can allow an attacker to decrypt a small amount of repeated content, such as a session token or other sensitive cookie values.

Published: 21 October 2022    Last Updated: 05 July 2023

Factoring RSA Export Keys (FREAK) is an attack against “export ciphers suites” which are cipher suites that have intentionally limited security due to prior regulation within the United States. This regulation placed restrictions on the strength of encryption algorithms used in software for exportation. This attack was demonstrated in 2015 and can allow a threat actor who is able to perform an interception attack against HTTPS traffic to decrypt message contents.