Join
2
0 Comments

Importance of TLS 1.3: Vulnerabilities in older versions of SSL/TLS

by Rejah

Web servers that support deprecated SSL/TLS versions and weak cipher suites are inviting trouble from network attacks.

TLS 1.2 works just fine. But the emerging concern is the overall level of security it provides.

It's still flawed even after years of patching and revisions. TLS 1.3, on the other hand, is proven to be more secure and efficient.

Following are some common vulnerabilities in older versions of SSL/TLS:

POODLE ATTACK

In the POODLE attack, an active MITM attacker can force a browser to downgrade the session to SSLv3, which can then be exploited.

The vulnerability affects TLS implementations that don't properly check the structure of the padding used in TLS packets.

FREAK ATTACK

Factoring Attack on RSA-EXPORT Keys (FREAK) is an SSL/TLS vulnerability that can allow an attacker to decrypt secure communications between vulnerable clients and servers.

SWEET32: BIRTHDAY ATTACK

The SWEET32 attack exploits a collision attack in SSL/TLS protocol cipher suites. When CBC mode of encryption is used, these cipher suites uses 64-bit block ciphers to extract plain text of the encrypted data.

BLEICHENBACHER WITH THE ROBOT ATTACK

This vulnerability allows an attacker to gain the RSA key necessary to decrypt TLS traffic under some specific conditions.

An attacker can exploit this vulnerability by sending crafted TLS messages to the device, which would act as an oracle and allow the attacker to carry out a chosen-ciphertext attack.

BEAST ATTACK

The BEAST attack exploits a weakness in SSL/TLS cipher-block chaining (CBC). It allows a man-in-the-middle attacker to recover certain session information.

CRIME ATTACK

CRIME is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression.

BREACH ATTACK

BREACH attacks HTTP responses- compressed using the common HTTP compression, otherwise known as content encoding, which is much more common than TLS-level compression.

We recently covered more on each vulnerability and how you can avoid them in a blog post.

Avatar for user @Rejah Rejah
posted to Icon for group Developers
Developers
 on July 11, 2020
Say something nice to Rejah…
Post Comment
Trending on Indie Hackers
What's the point of AI generated comments? User Avatar 37 comments Why can't your target customers always find your product? - Experience sharing User Avatar 10 comments The exact prompt that creates a clear, convincing sales deck User Avatar 8 comments Why I’m building an AI marketplace instead of another SaaS User Avatar 7 comments How does everyone setup their local computers for dev work? User Avatar 4 comments The hardest part of building in public isn’t shipping. User Avatar 4 comments