This articleneeds additional citations forverification.(September 2016) |
Adowngrade attack,also called abidding-down attack,[1]orversion rollback attack,is a form ofcryptographicattack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. anencrypted connection) in favor of an older, lower-quality mode of operation (e.g.cleartext) that is typically provided for backward compatibility with older systems.[2]An example of such a flaw was found in OpenSSL that allowed the attacker to negotiate the use of a lower version of TLS between the client and server.[3]This is one of the most common types of downgrade attacks.Opportunistic encryptionprotocols such asSTARTTLSare generally vulnerable to downgrade attacks, as they, by design, fall back to unencrypted communication. Websites which rely on redirects from unencrypted HTTP to encrypted HTTPS can also be vulnerable to downgrade attacks (e.g.,sslstrip), as the initial redirect is not protected by encryption.[4]
Attack
editDowngrade attacks are often implemented as part of aMan-in-the-middle(MITM) attack, and may be used as a way of enabling a cryptographic attack that might not be possible otherwise.[5]Downgrade attacks have been a consistent problem with the SSL/TLS family of protocols; examples of such attacks include thePOODLEattack.
Downgrade attacks in the TLS protocol take many forms.[6]Researchers have classified downgrade attacks with respect to four different vectors, which represents a framework to reason about downgrade attacks as follows:[6]
- The protocolelementthat is targeted
- Algorithm
- Version
- Layer
- The type ofvulnerabilitythat enables the attack
- Implementation
- Design
- Trust-model
- The attackmethod
- Dropping
- Modification
- Injection
- The level ofdamagethat the attack causes
- Broken Security
- Weakened Security
There are some recent proposals[7][8]that exploit the concept ofprior knowledgeto enable TLS clients (e.g. web browsers) to protect sensitive domain names against certain types of downgrade attacks that exploit the clients' support for legacy versions or non-recommended ciphersuites (e.g. those that do not support forward secrecy or authenticated encryption) such as the POODLE, ClientHello fragmentation,[9][10]and a variant of the DROWN (aka "the special drown" ) downgrade attacks.[clarification needed]
Removingbackward compatibilityis often the only way to prevent downgrade attacks. However, sometimes the client and server can recognize each other as up-to-date in a manner that prevents them. For example, if a Web server and user agent both implementHTTP Strict Transport Securityand the user agent knows this of the server (either by having previously accessed it over HTTPS, or because it is on an "HSTS preload list"[11][12][13]), then the user agent will refuse to access the site over vanilla HTTP, even if a malicious router represents it and the server to each other as not being HTTPS-capable.
See also
editReferences
edit- ^"Security Implications of 5G Networks"(PDF).U C Berkeley Center for Long-Term Cybersecurity.Retrieved24 November2021.
- ^"Version rollback attack".
- ^Praetorian (19 August 2014)."Man-in-the-Middle TLS Protocol Downgrade Attack".Praetorian.Retrieved13 April2016.
- ^Mutton, Paul (17 March 2016)."95% of HTTPS servers vulnerable to trivial MITM attacks | Netcraft".netcraft.Retrieved11 December2023.
- ^"Downgrade attack".encyclopedia.kaspersky.Retrieved5 September2023.
- ^ab
Alashwali, E. S. and Rasmussen, K. (2018).What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS.4th Int. Workshop on Applications and Techniques in Cyber Security (ATCS) co-located with 14th Int. Conf. in Security and Privacy in Communication Networks (SecureComm). Springer. pp. 469–487.arXiv:1809.05681.
{{cite conference}}
:CS1 maint: multiple names: authors list (link) - ^
Alashwali, E. S. and Rasmussen, K. (2018).On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name.14th Int. Conf. in Security and Privacy in Communication Networks (SecureComm). Springer. pp. 213–228.arXiv:1809.05686.
{{cite conference}}
:CS1 maint: multiple names: authors list (link) - ^
Alashwali, E. S. and Szalachowski, P. (2018).DSTC: DNS-based Strict TLS Configurations.13th Int. Conf. on Risks and Security of Internet and Systems (CRISIS). Springer.arXiv:1809.05674.
{{cite conference}}
:CS1 maint: multiple names: authors list (link) - ^ldapwiki."ClientHello".Archived fromthe originalon 17 March 2020.Retrieved30 January2019.
- ^
Beurdouche, B., Delignat-Lavaud, A., Kobeissi, N., Pironti, A., Bhargavan, K. (2015).FLEXTLS A Tool for Testing TLS Implementations.9th USENIX Workshop on Offensive Technologies ({WOOT} 15. USENIX.Retrieved30 January2019.
{{cite conference}}
:CS1 maint: multiple names: authors list (link) - ^Adam Langley (8 July 2010)."Strict Transport Security".The Chromium Projects.Retrieved22 July2010.
- ^David Keeler (1 November 2012)."Preloading HSTS".Mozilla Security Blog.Retrieved6 February2014.
- ^Bell, Mike; Walp, David (16 February 2015)."HTTP Strict Transport Security comes to Internet Explorer".Retrieved16 February2015.