If you thought your data was safe then think again. Because according to academic studies, it was found that due to TLS 1.3 vulnerability, hackers can now tap into a secured channel and can harvest data for malicious intent.
The research paper was published by Tel Aviv University, University of Adelaide and University of Michigan as well as Weizmann Institute. Moreover, NCC Group and Data61 have also concluded similar findings.
The attack is modified version of the actual Bleichenbacher oracle attack which in the past was able to decode an RSA encrypted message using Public-Key Cryptography.
This new wave, however, seeks to work against the TLS 1.3 which is the latest version among the TLS protocols. Authorities believed it to be secure but apparently it is not and that’s alarming!
Since TLS 1.3 does not support RSA key exchange, researchers thought it best to proceed with the downgrade version i.e. TLS 1.2 for the purpose assessing the attack.
As a result downgrade mitigations such as one server-side and two-client side which bypasses the downgrade attack. Thus concluding, that if there were larger RSA keys, these attacks could have been prevented and also, the handshake timeout would have shortened.
Nine different TLS implementations were studied; OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS out of which BearSSL and Google’s BoringSSL were safe. All of the others remained vulnerable.
What Does Experts Have To Say?
As far as the number of attacks are concerned, Broderick Perelli-Harris, Sr. Director at Venafi believes they have been popping up since 1988 under variations of Bleichenbacher. Therefore, it isn’t surprising that TLS 1.3 is vulnerable as well.
Jake Moore, cyber-security specialist at ESET UK is of the opinion that the attack of cryptographic nature is not the first and will not be the last of its kind. He is also of the opinion that it’s akin to game of Whac-A-Mole – every time a security fix is applied, another one pops up.
What Can You Do?
All in all, the flaw is in the original makeup of the TLS encryption protocol. But for now due to the very design of the protocol patching is the only way forward.
What you can do to protect yourself in the meantime? Employ two-factor authentication (2FA), keep your software updated such as anti-malware/antivirus, setting stronger passwords, and a decent VPN service such as Ivacy.