On this page
article
SSL/TLS Vulnerability Cheat Sheet
Vulnerable SSL/TLS Versions
| Issue | Severity | Attack pre-requisites | Impact | Description | References |
|---|---|---|---|---|---|
| SSLv2 | Medium | MITM | Exposure and tampering in real-time | First released version of SSL that does not protect against MITM. | |
| Also susceptible to Bleichenbacher ‘98 (see BB98) attack to encrypt and | |||||
| decrypt data with server’s RSA private key. | |||||
| SSLv3 | Low | BEASTly, CBC | Decryption of data | POODLE attack, allows decryption of data through a padding oracle | |
| attack. BEAST, allows decryption of data through a padding oracle | |||||
| attack. Requires BEASTly attack model. | |||||
| TLSv1.0 | Low | BEASTly, CBC | Decryption of data | see BEAST | |
| DROWN | Medium | Adjacent network, RSA, key reuse across TLS versions | Decryption of data | BB98, as applied to SSLv2, to recover session keys encrypted with | |
| the server’s RSA private key, can be used in conjunction with key reuse | |||||
| across different available versions of SSL/TLS to recover session keys | |||||
| from captured sessions and decrypt application data. | https://drownattack.com/ |
Vulnerable cipher suites
| Issue | Severity | Attack pre-requisites | Impact | Description | References |
|---|---|---|---|---|---|
| NULL | High | Adjacent network | Exposure and tampering in real-time | No encryption. Should only be enabled in testing. Disables encryption and integrity entirely. | |
| EXPORT | High | Adjacent network | Exposure and tampering in real-time | Intentionally weakened ciphers that only provide 40 bits of | |
| security. With specialized hardware, real-time cracking may be possible, | |||||
| so long-lived sessions may be MITM’d invisibly. These ciphers are | |||||
| sometimes exploitable even if the client does not support or choose | |||||
| EXPORT-grade ciphers due to the nature of the algorithms themselves. | |||||
| (see FREAK, Logjam) | https://www.mitls.org/pages/attacks/SMACK#freak, https://weakdh.org/ | ||||
| DES | High | Adjacent network | Decryption of data, but not in real time. | Old cipher with small key size designed at a time when computing | |
| resources weren’t enough to brute force DES keys efficiently. Can be | |||||
| brute forced in roughly a week with a machine costing $10,000. | http://www.sciengines.com/copacobana/ | ||||
| RC4 | Low | BEASTly | Partial decryption of data. | Known serious biases in keystream output can be used to decrypt | |
| data, and given enough data, recover encryption keys. The IETF has | |||||
| prohibited the use of RC4 in any standards-compliant version of TLS, and | |||||
| Mozilla and Microsoft have recommended against any use of RC4. | https://en.wikipedia.org/wiki/RC4#Security | ||||
| 3DES/DES-CBC3/DES-EDE/Triple DES | Low | BEASTly, Old server version, Large amounts of data | Partial decryption of data. | Meet-in-the-middle attack reduces effective key strength to slightly above 112 bits. (see also SWEET32) | https://sweet32.info/ |
| Blowfish | Low | BEASTly, Old server version, CBC, Large amounts of data | Decryption of pseudo-random blocks of data. | See SWEET32. | |
| MD5 | Info | Theoretical | Tampering | MD5 has significant known collision weaknesses, with further advances HMAC-MD5 may be exploitable. | https://www.win.tue.nl/hashclash/ |
| SHA-1 / SHA | Info | Theoretical | Tampering | SHA-1 has known collision weaknesses, with further advances HMAC-SHA may be exploitable. | https://shattered.io/ |
| Anonymous DH/ECDH | Medium | MITM | Decryption and tampering in real time | Anonymous Diffie-Hellman and its elliptic curve variant is | |
| susceptible to a MITM attack that allows an attacker to establish an | |||||
| encrypted channel with both sides of the conversation and observe and | |||||
| modify traffic invisibly and in real time. | |||||
| SWEET32 | Low | BEASTly, Old server version, CBC, Large amounts of data | Decryption of pseudo-random blocks of data. | Random collisions in encrypted block values plus known plaintext for | |
| one of the two colliding blocks results in decryption of the other, | |||||
| requires hundreds of gigabytes of data for reasonable chance of success, | |||||
| plus large amounts of attacker-provided data. | https://sweet32.info/ |
Certificate issues
| Issue | Severity | Attack pre-requisites | Impact | Description | References |
|---|---|---|---|---|---|
| Self-signed certificate / Untrusted issuer | Medium | Client/user acceptance, MITM | Decryption and tampering in real-time | The certificate is not signed by an entity in any known trust store. | |
| There is no way to validate that the signing authority is valid. see | |||||
| User SSL/TLS Warnings. | |||||
| Certificate subject mismatch | Medium | Client/user acceptance, MITM | Decryption and tampering in real-time | The certificate is not valid for the subject it is being used to protect. see User SSL/TLS Warnings. | |
| Weak signature algorithm | Medium | Client/user acceptance, MITM | Decryption and tampering in real-time | The certificate uses a known weak signing algorithm such as MD5 or | |
| SHA-1 in its digital signature. Successful bait-and-switch attacks | |||||
| against signing authorities have been demonstrated to generate | |||||
| intermediate Certificate Authorities, compromising the chain of trust | |||||
| and therefore, all SSL/TLS traffic. | https://tools.ietf.org/id/draft-ietf-tls-md5-sha1-deprecate-00.html | ||||
| Revoked certificate | Medium | Client/user acceptance, MITM | Decryption and tampering in real-time | A certificate in the chain of trust was revoked, and can no longer be trusted. see User SSL/TLS Warnings. | |
| Debian faulty PRNG key | High | Adjacent network | Decryption and tampering in real-time | The key used in the certificate was generated with a version of | |
| Debian known to have serious vulnerabilities in its PRNG. Since only | |||||
| 65535 possible keys can be generated with such a PRNG, it is possible to | |||||
| keep a library of all possible key pairs, identify the key pair based | |||||
| on the server’s presented public key, and decrypt and modify all traffic | |||||
| in real-time using the corresponding private key. | https://lists.debian.org/debian-security-announce/2008/msg00152.html | ||||
| Expired certificate | Low | Client/user acceptance | Decryption and tampering in real-time | The certificate has passed its validity period and can no longer be | |
| trusted. Validity period for certificates attempt to limit the time | |||||
| attackers can spend trying to brute force a private key. see User | |||||
| SSL/TLS Warnings. | |||||
| 1024-bit RSA key | Low | Adjacent network, significant resources | Decryption and tampering in real-time | The certificate has a 1024-bit modulus. Given nation-state or | |
| organized crime level resources, a single 1024-bit public key could be | |||||
| factored to recover the private key in a short enough time to present a | |||||
| practical threat, as of this writing. Over time, as computing power | |||||
| grows, the feasibility of this attack will only grow. | |||||
| 768-bit or lower RSA key | High | Adjacent network | Decryption and tampering in real-time | The certificate has a 768-bit modulus, or smaller. This is small | |
| enough to allow an attacker to factor the modulus and recover the | |||||
| private key using off-the-shelf hardware for a modest price. |
Implementation-specific vulnerabilities
| Issue | Severity | Attack pre-requisites | Impact | Description | References |
|---|---|---|---|---|---|
| HeartBleed | Critical | Old server version | Disclosure of server memory. | Exploits buffer overread in heartbeat TLS extension to read out | |
| server memory adjacent to buffer, often revealing request/response data | |||||
| or even private key material if server has just been restarted. | https://heartbleed.com/ | ||||
| Lucky 13 | Low | BEASTly, Old server version, CBC | Partial decryption of data. | Exploits timing issue in MAC verification of certain vulnerable implementations to decrypt certain parts of encrypted data. | |
| ROBOT | Medium | Old server version, Adjacent network, RSA | Encryption and decryption with server RSA private key | A small variation on Bleichenbacher’s 1998 attack on RSA enables attacks on vulnerable TLS implementations. (see BB98) | https://robotattack.org/ |
| OpenSSL CCS Injection | Medium | Old server version, MITM | Decryption and tampering in real-time | The ChangeCipherSpec (CCS) message in the TLS handshake causes keys | |
| to be finalized. This should only occur once key material has been fully | |||||
| exchanged, but old versions of OpenSSL did not properly ensure this was | |||||
| the case. An attacker can cause keys to be generated using only public | |||||
| material by injecting CCS messages into TLS handshakes prematurely, then | |||||
| decrypt and modify traffic using the keys, which can be generated due | |||||
| to knowledge of the public key material used to generate them. | https://www.imperialviolet.org/2014/06/05/earlyccs.html |
Configuration issues
| Issue | Severity | Attack pre-requisites | Impact | Description | References |
|---|---|---|---|---|---|
| CRIME | Medium | BEASTly, Old client version | Decryption of request data. | Compression oracle attack, applied to compressed and then encrypted | |
| HTTP requests where an attacker can obtain the encrypted data and | |||||
| measure its length. (see Compression Oracle) | |||||
| TIME | Low | BEASTly, Old client version | Decryption of request data. | CRIME, but based on timing side channel. (see Compression Oracle, CRIME) | |
| BREACH | Low | BEASTly, Old server version | Decryption of response data. | Compression oracle attack, applied to compressed and then encrypted | |
| HTTP responses. If an attacker using the BEASTly attack model against an | |||||
| application that reflects user input, the response data can be | |||||
| recovered. (see Compression Oracle) | |||||
| No TLS_FALLBACK_SCSV | Low | MITM, other vulns | Downgrade | Newer versions of SSL/TLS prevent an attacker from modifying the | |
| list of supported algorithms being sent by the server and client to | |||||
| force the use of the weakest possible algorithm. However, without the | |||||
| TLS_FALLBACK_SCSV extension, an attacker can force a downgrade to the | |||||
| weakest version of SSL/TLS supported by the client and server. | |||||
| Insecure renegotiation | Medium | MITM, Old server version, Old client version | Tampering. | An attacker can start a TLS session, sending some data, and then | |
| initiating a renegotiation when a client connects through a MITM channel | |||||
| to stitch the legitimate client into the connection, prepending | |||||
| arbitrary data to the request. |
| Bit strength | Difficulty | Real-world example |
|---|---|---|
| 32 | Billy tries all keys in four seconds. | A key was chosen poorly using only 32 effective bits of entropy |
| 40 | Billy tries all keys in 18 minutes. | Normal strength of EXPORT ciphers |
| 56 | Billy tries all keys in 13 days. | DES |
| 64 | Billy tries all keys in 9.7 years. | Maximum strength of EXPORT ciphers |
| 112 | One billion Billies working together (a giga-Billy) try all keys in 164.6 million years. | 3DES, after applying Meet-in-the-Middle attack |
| 128 | One billion giga-Billies working together (an exa-Billy) try all keys in 10,790 years. | AES-128 |
| 192 | An exa-Billy tries all keys in 199 sextillion years. | AES-192, or the expected (but not actual) strength of 3DES |
| 256 | An exa-exa-Billy (one billion billion exa-Billies) tries all keys in 3.7 septillion years. | AES-256 |
Last updated 26 Apr 2024, 15:18 +0530 .