The Transport Layer Security (TLS) protocol suffers from legacy bloat: after 20 years of evolution, it features many versions, extensions, and ciphersuites, some of which are obsolete and known to be insecure. Implementations and deployments of TLS deal with this complexity by implementing composite state machines that allow new and old features to coexist for interoperability, while waiting for deprecated features to be disabled over time. Getting this composition right is tricky, and any flaw can result in a serious attack that bypasses the expected security of TLS.
This talk will discuss three recent vulnerabilities discovered in our group: SKIP uses state machine flaws in Oracle’s JSSE to hijack TLS connections between a Java client and any web server; FREAK uses legacy support for export-grade RSA cipher suites to break into connections between mainstream browsers and 25% of the web; Logjam exploits a protocol flaw to confuse DHE key exchanges into using export-grade Diffie-Hellman groups. These attacks rely on a combination of protocol-level weaknesses, implementation bugs, and weak cryptography. The talk will advocate principled methods to avoid such weaknesses in the future, such as software verification and new robust designs for new protocols like TLS 1.3.