SLOTH, attack on TLS using MD5
Giving a talk late last year I was asked what some of my predictions were for 2016. One of the ones we talked about was further issues with TLS and the various algorithms used to provide a protocol that lies at the heart of e-commerce. Well looks like I got my wish, although you could argue that it was last year as a 2015 CVE number was assigned, however made public this week. (Thanks Rich for the heads up)
Two researchers at miTLS (www.mitls.org, Karthikeyan Bhargavan, Gaëtan Leurent) have been working away at looking at issues with the protocol and have identified a challenge with TLS 1.2, if it still uses MD5 (https://www.mitls.org/pages/attacks/SLOTH#introduction). Their attack dubbed SLOTH has identified a weakness that if RSA-MD5, or ECDSA-MD5 if used it significantly weakens the protocol and allows impersonation, credential forwarding and downgrade attacks. Unlike your more traditional MitM attacks this would not provide users with a warning. Currently, reading in the paper, real time attacks are not practical, but it is just a matter of having a large enough computer.
The core of the issue is again MD5. Back in 2005 it was shown that collisions were possible and yet for core security functions we still use it (think IPSec, TLS, ...). This research has convinced the TLS working party to remove MD5 from TLS 1.3. The recommendation is to consider removing RSA-MD5 and ECDSA-MD5 from your allowed algorithms stack for your web servers. OpenSSL RHEL and others have release updates to address this issue.
For the details have a read of the paper here.
Mark H - Shearwater
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago