Sangtae Lee
ABSTRACT
Transport Layer Security (TLS) protocol is often vulnerable to version downgrade attacks, where a man-in-the-middle attacker interferes with the handshake protocol and leads the communicating parties to fall back from a higher version of TLS to lower ones, which are typically provided for backward compatibility.
In order to thwart the downgrade attack, several defense mechanisms are adopted in most of the recent TLS versions. However, there have not been many studies on analyzing what conditions are needed to guarantee the theoretical security, and understanding how they are implemented in practice in the era of TLS 1.3.
To understand the current deployment of downgrade protection mechanisms and their security in the real world, in this paper, we investigated ten major web browsers in five operating systems with diverse implementation conditions of TLS clients and servers.
As a result, we identified that two network stacks of Microsoft and Apple are vulnerable to downgrade attacks. We then demonstrate TLS sessions can be downgraded from TLS 1.3 to 1.0 by exploiting the vulnerability. Drawing on our experiment, we analyze the root cause for the vulnerability, and present several mitigation strategies.
Supplemental Material
- David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, et al. 2015. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 5--17.Google Scholar
Digital Library
- Eman Salem Alashwali and Kasper Rasmussen. 2018. What's in a downgrade? A taxonomy of downgrade attacks in the TLS protocol and application protocols using TLS. In International Conference on Security and Privacy in Communication Systems. Springer, 468--487.Google ScholarCross Ref
- Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, and Ralph Holz. 2017. Mission accomplished?: HTTPS security after diginotar. In Proceedings of the 2017 Internet Measurement Conference. ACM, 325--340.Google ScholarDigital Library
- Lucia Ballard and Simon Cooper. 2016. What's New in Security. https://developer.apple.com/videos/play/wwdc2016/706/.Google Scholar
- David Benjamin. 2015. Remove insecure TLS version fallback. https://www.chromestatus.com/feature/5685183936200704.Google Scholar
- David Benjamin. 2016. Applying grease to tls extensibility. IETF Draft (2016).Google Scholar
- David Benjamin. 2016. [TLS] Version negotiation, take two. https://mailarchive.ietf.org/arch/msg/tls/hd-QpaRaEojL9RItZfiCyN8TgCc.Google Scholar
- David Benjamin. 2018. Modernizing Transport Security. https://security.googleblog.com/2018/10/modernizing-transport-security.html.Google Scholar
- Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and Jean Karim Zinzindohoue. 2015. A messy state of the union: Taming the composite state machines of TLS. In 2015 IEEE Symposium on Security and Privacy. IEEE, 535--552.Google ScholarDigital Library
- Karthikeyan Bhargavan, Christina Brzuska, Cédric Fournet, Matthew Green, Markulf Kohlweiss, and Santiago Zanella-Béguelin. 2016. Downgrade resilience in key-exchange protocols. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 506--525.Google ScholarCross Ref
- Karthikeyan Bhargavan and Gaëtan Leurent. 2016. Transcript collision attacks: Breaking authentication in TLS, IKE, and SSH.Google Scholar
- Hanno Böck, Juraj Somorovsky, and Craig Young. 2018. Return Of Bleichen-bacher's Oracle Threat (ROBOT). In 27th USENIX Security Symposium (USENIX Security 18). 817--849.Google Scholar
- Apple Developer. 2018. App Store Review Guidelines. https://developer.apple.com/app-store/review/guidelines/.Google Scholar
- Microsoft Document. 2016. Update to Improve TLS Session Resumption Interoperability. https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3109853.Google Scholar
- Benjamin Dowling and Douglas Stebila. 2015. Modelling ciphersuite and version negotiation in the TLS protocol. In Australasian Conference on Information Security and Privacy. Springer, 270--288.Google ScholarCross Ref
- Thai Duong and Juliano Rizzo. 2011. BEAST. In Ekoparty.Google Scholar
- Dave Garrett. 2020. TLS 1.3 version intolerant servers should get lower grades. https://qualys-secure.force.com/discussions/s/question/0D52L00004TnuqkSAB/tls-13-version-intolerant-servers-should-get-lower-grades.Google Scholar
- Ilya Grigorik. 2013. High Performance Browser Networking: What every web developer should know about networking and web performance. " O'Reilly Media, Inc.".Google Scholar
- Alan Grosskurth and Michael W Godfrey. 2005. A reference architecture for web browsers. In 21st IEEE International Conference on Software Maintenance (ICSM'05). IEEE, 661--664.Google ScholarDigital Library
- Firefox Site Compatibility Working Group. 2020. TLS 1.0/1.1 support has been disabled by default. https://www.fxsitecompat.dev/en-CA/docs/2020/tls-1-0-1-1-support-has-been-disabled-by-default/.Google Scholar
- Scott Helme. 2014. Getting an A+ rating on the Qualys SSL Test. https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/.Google Scholar
- Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. 2015. On the security of TLS 1.3 and QUIC against weaknesses in PKCS# 1 v1. 5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1185--1196.Google Scholar
- Tibor Jager, Jorg Schwenk, and Juraj Somorovsky. 2015. On the security of TLS 1.3 and QUIC against weaknesses in PKCS#1 v1.5 encryption. In 2015 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1185--1196.Google ScholarDigital Library
- Adam Langley, Alfredo Pironti, Richard Barnes, and Martin Thomson. 2015. Deprecating Secure Sockets Layer Version 3.0. (2015).Google Scholar
- Joseph Medley. 2020. Deprecations and removals in Chrome 84. https://developers.google.com/web/updates/2020/05/chrome-84-deps-rems.Google Scholar
- Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, and Erik Tews. 2014. Revisiting SSL/TLS implementations: New bleichenbacher side channels and attacks. In 23rd USENIX Security Symposium (USENIX Security 14). 733--748.Google Scholar
- Bodo Möller, Thai Duong, and Krzysztof Kotowicz. 2014. This POODLE bites: exploiting the SSL 3.0 fallback. Security Advisory (2014).Google Scholar
- Bodo Möller and Adam Langley. 2015. TLS fallback Signaling Cipher Suite Value (SCSV) for preventing protocol downgrade attacks. (2015).Google Scholar
- Katsuhiko Momoi. 2003. SSL 3.0 Intolerant Servers. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Notes_on_TLS_-_SSL_3.0_Intolerant_Servers.Google Scholar
- K. Moriarty and S. Farrell. 2019. Deprecating TLSv1.0 and TLSv1.1. (2019).Google Scholar
- Mozilla. 2015. Firefox 38 for developers. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/38.Google Scholar
- Kyle Pflug. 2018. Modernizing TLS connections in Microsoft Edge and Internet Explorer 11. https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/#k6TMX5DVmAdgZ3wM.97.Google Scholar
- Kyle Pflug. 2020. Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default. https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/.Google Scholar
- Chromium Project. 2019. Network Stack. https://chromium.googlesource.com/chromium/src/+/master/net/docs/life-of-a-url-request.md.Google Scholar
- Qualys. 2019. SSL Pulse. https://www.ssllabs.com/ssl-pulse/.Google Scholar
- Marsh Ray, Alfredo Pironti, Adam Langley, Karthikeyan Bhargavan, and Antoine Delignat-Lavaud. 2015. Transport Layer Security (TLS) session hash and extended master secret extension. Transport (2015).Google Scholar
- Eric Rescorla. 2008. The transport layer security (TLS) protocol version 1.2. https://tools.ietf.org/html/rfc5246. (2008).Google Scholar
- Eric Rescorla. 2018. The transport layer security (TLS) protocol version 1.3. https://tools.ietf.org/html/rfc8446. (2018).Google Scholar
- Ivan Ristic. 2013. [TLS] TLS protocol version intolerance. https://mailarchive.ietf.org/arch/msg/tls/aFS1brjfUy-GHq2oefTFCjKjzKM/.Google Scholar
- Ivan Ristic. 2016. TLS Version Intolerance in SSL Pulse. https://blog.qualys.com/ssllabs/2016/08/02/tls-version-intolerance-in-ssl-pulse.Google Scholar
- Juliano Rizzo and Thai Duong. 2011. Here come the XOR ninjas. Unpublished manuscript (2011).Google Scholar
- Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and Yuval Yarom. 2019. The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 435--452.Google ScholarCross Ref
- StatCounter. 2019. Browser Marketshare. https://gs.statcounter.com/browser-market-share.Google Scholar
- StatCounter. 2019. Operating System Marketshare. https://gs.statcounter.com/os-market-share.Google Scholar
- Mike Taylor. 2019. TLS 1.0 and 1.1 Removal Update. https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/.Google Scholar
- Martin Thomson. 2018. Removing Old Versions of TLS. https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/.Google Scholar
- Sean Turner and Tim Polk. 2011. Prohibiting secure sockets layer (SSL) version 2.0. (2011).Google Scholar
- David Wong. 2019. Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries. https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/.Google Scholar
- Christopher Wood. 2018. Deprecation of Legacy TLS 1.0 and 1.1 Versions. https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/.Google Scholar
Index Terms
- Return of version downgrade attack in the era of TLS 1.3
Recommendations
TLS 1.3 in Practice:How TLS 1.3 Contributes to the Internet
WWW '21: Proceedings of the Web Conference 2021Transport Layer Security (TLS) has become the norm for secure communication over the Internet. In August 2018, TLS 1.3, the latest version of TLS, was approved, providing improved security and performance of the previous TLS version. In this paper, we ...
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityEncrypted key transport with RSA-PKCS#1 v1.5 is the most commonly deployed key exchange method in all current versions of the Transport Layer Security (TLS) protocol, including the most recent version 1.2. However, it has several well-known issues, most ...
JITGuard: Hardening Just-in-time Compilers with SGX
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityMemory-corruption vulnerabilities pose a serious threat to modern computer security. Attackers exploit these vulnerabilities to manipulate code and data of vulnerable applications to generate malicious behavior by means of code-injection and code-reuse ...
Comments