back to article I, Robot? Aiiiee, ROBOT! RSA TLS crypto attack pwns Facebook, PayPal, 27 of 100 top domains

A 19-year-old vulnerability in the TLS network security protocol has been found in the software of at least eight IT vendors and open-source projects – and the bug could allow an attacker to decrypt encrypted communications. Identified by security researchers Hanno Böck, Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit, …

  1. IneptAdept

    So..... People Using Libraries Are Liable To Get Pwned

    So once again, we see groups / people / companies that are using off the shelf OSS or CSS are getting hit by the same.

    OSS works great when people put back in what they take, not so much when they dont...

    This is just one of many f*ckeries that has happened of late, and I despair

    *It's turtles all the way down*

    1. iron Silver badge

      Re: So..... People Using Libraries Are Liable To Get Pwned

      "OSS works great when people put back in what they take, not so much when they dont..."

      I don't think that every user of say OpenSSL contributing to the code is a good idea. For a start many of them do not know how to program, even among those who do most will not know how to write encryption software without introducing more holes than a colander made of Swiss cheese. I'd rather the few users with appropriate domain knowledge contribute than every user.

      1. bombastic bob Silver badge
        Facepalm

        Re: So..... People Using Libraries Are Liable To Get Pwned

        "For a start many of them do not know how to program"

        ack - I once had someone submit a patch to a simple stand-alone C language utility that consisted of badly written "unelegant" code and (worse) GLOBAL VARIABLES (rather than using function parameters).

        I didn't even bother testing it, and wrote something better myself that implemented an equivalent functionality.

        so, yeah.

        icon, because, facepalm "everyone thinks he can code"

    2. ibmalone Silver badge

      Re: So..... People Using Libraries Are Liable To Get Pwned

      There's nothing in the article or the exploit page to say this is comes from a specific library, OSS or not. It appears to be a problem with the protocol itself that independent implementations have all failed to address correctly. The article specifically mentions that vendor supplied software running popular websites is disproportionately affected and facebook's problem came from their own changes to OpenSSL. OpenSSL is not currently listed as affected either, though that could still be because a fix is in progress.

      1. Michael Wojcik Silver badge

        Re: So..... People Using Libraries Are Liable To Get Pwned

        There's nothing in the article or the exploit page to say this is comes from a specific library, OSS or not.

        Indeed, it does not.

        I was one of the folks who had early, embargoed knowledge of ROBOT, and tested some TLS implementations for it (using Böck's Python client, now available on the ROBOT site). Like other Bleichenbacher variants, it's due to the sort of error that's easy to make, and thus can easily appear in independent implementations.

        Specifically, the ROBOT oracle is how a server responds to various sorts of malformed messages. When the responses to different malformed messages also differ (in a "useful" way, which I'm not going to try to define here), that leaks some information about the server's RSA private key.[1] By varying the messages you leak different bits. It's pretty easy to determine just how much information is being leaked, so you can tell how many messages would be required to get enough of the key to brute-force the remainder. And that tells you whether an attack is feasible at a given technology-and-money point.

        There are a lot of failure paths in RSA key exchange, so it's not hard to see why an implementation might not do exactly the same thing on all of them. This makes RSA Kx fragile, as the ROBOT page (and the article) points out. So removing it, or at least preferring DH/ECDH (preferably their ephemeral variants) suites, is a good option.

        This can also be seen as a variation of Moxie Marlinspike's Cryptographic Doom Principle: If you don't validate the message as the very first thing you do, you're going to be sorry. Marlinspike was specifically talking about verifying the MAC, but ensuring the message is well-formed also applies.

        Vulnerable ROBOT implementations are written in a variety of languages. Some are relatively old and some quite new. Some are proprietary closed source, and others are open. Some are embedded in appliances, and those are going to be the ones to look out for.

        [1] Which is why this attack only applies if the connection is using RSA key exchange. It doesn't work against signing, only against encryption, so it's not a problem if the connection uses DH or ECDH key exchange, as the article mentions at the end.

    3. Tomato42 Silver badge

      Re: So..... People Using Libraries Are Liable To Get Pwned

      Neither of OpenSSL (or clones of it), GnuTLS or NSS are vulnerable. So exactly what part of OSS is failing?

      The one that little-used and niche libraries are not tested as well (likely because they are understaffed) as OpenSSL is?

  2. art guerrilla

    so, 'trust, yet verify' doesn't work either ? ? ?

    certainly this was the one and onliest major bug that s/w systems have; absolutely i trust nerdbotz motivated by dollar signs in their eyes to look after my best interests; surely no one lets major vulnerabilities languish for decades due to disinterest, forgetfulness, and laziness; without a doubt i have no qualms of my whole pitiful life being laid bare to these greedtards who don't give a shit...

    .

    exactly why i am hereby predicting the imminent rise of neo-luddites... and i will be in line... getting to the poi9nt that virtually NONE of this computer crap is ACTUALLY serving US and adapting to US; but WE must adapt to what 'the computer' wants... tail wagging dog much ? ? ?

    1. Tomato42 Silver badge

      Re: so, 'trust, yet verify' doesn't work either ? ? ?

      amanfrommars is that you?

  3. DJV Silver badge
    Alert

    Bad robot!

    "the researchers have dubbed the bad code ROBOT"

    https://www.youtube.com/watch?v=W7Brd1F1dQc

  4. EnviableOne Bronze badge

    Glad I Required our guys to Use TLS_DHE a while back

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019