Awesome
TLS - what can go wrong?
Key generation
- Debian weak keys
- ROCA
- Shared prime factors (mining ps and qs)
- Shared non-private keys (e.g. using default keys shipped with applications)
RSA encryption handshake
- Bleichenbacher, Klima, ROBOT etc. attacks
- SSLv2 Bleichenbacher attack (DROWN)
RSA signature handshake
- RSA-CRT bug / modexp miscalculation (signature generation)
- Bleichenbacher signature forgery, BERserk (signature verification)
ECDSA / DSA handshake
- Duplicate r (not found in the wild yet)
Static DH/ECDH handshake
Diffie Hellman
- Backdoor parameters, some detectable (e.g. non-prime modulus), others not
- Logjam (paper describes multiple attacks), too small parameters
- Ephemeral key reuse with small subgroup parameters
- DH/ECDH parameter confusion
ECDHE
- Curveswap
- Invalid Curve attack / ephemeral key reuse
Finished message
- Lack of check, also partial lack of check, Poodle has friends
CBC/HMAC
- BEAST
- Vaudenay's Padding Oracle (impractical due to encrypted error messages)
- Canvel's timing oracle
- Lucky Thirteen, Lucky Microseconds
- LuckyMinus20 (CVE-2016-2107)
- POODLE (SSLv3)
- Lack of padding check in TLS 1.0 and later (POODLE-TLS)
- Partial padding checks, More POODLEs in the forest
- MACE / Lack of HMAC check, also partial checks Poodle has friends
GCM
- Duplicate or random nonces (Forbidden attack, Nonce-disrespecting adversaries)
- Lack of ghash check (not found in the wild yet)
Small block size
RC4
- RC4 Biases, cipher design problem, unfixable
Compression
- CRIME (TLS compression)
- BREACH (HTTP compression)
- TIME, HEIST (TCP window trick, Javascript, timing + HTTP compression)
State machine errors
- SMACK, SkipTLS
- FREAK
- CCS Injection
HTTP/HTTPS related
- SSL Stripping
- Insecure redirects (e.g. https:// -> http://www. -> https://www.)
Parsing and validation logic issues
- Heartbleed
- STARTTLS command injection
- Version intolerance, large handshake intolerance, middlebox breakage, ...
- Frankencerts
- goto fail
Sidechannels
- Timing side channel allowing remote key recovery
- Timing side channels against symmetric ciphers (AES)
- Timing side channel allowing remote key recovery
- CPU cache side channels allowing private key recovery across processes/VMs (PortSmash (ECDSA and DSA keys), CVE-2018-0737 (RSA keys))
Others
- Insecure Renegotiation
- Triple Handshake
- Virtual Host Confusion
- Cookie cutter
- SLOTH
- Carry propagation bugs / math bugs (can cause RSA-CRT bug, Squeezing a key through a carry bit)