You are here

Attacks on TLS and Airlock Gateway Protection Mechanisms

Affects product: 
Airlock WAF

The following list shows some major attack vectors on SSL/TLS and describes how the default configuration of Airlock WAF protects.

Public Disclosure Attack Affected Server Airlock WAF Attack Mitigaton Ref.
2021

ALPACA Attack

 

TLS services like https, ftps, imaps etc. sharing a compatible TLS certificate and not validating SNI and ALPN fields.

Airlock Gateway strictly validates SNI and uses ALPN. [21]
2020

Raccoon

Server supporting DH(E) key exchange reusing DH share and TLS version <= 1.2

DH shares are not reused. [20]
2019


Zombie POODLE and GOLDENDOODLE

Certain TLS 1.0 - 1.2 implementations using CBC block cipher mode

The OpenSSL version used by Airlock WAF is not affected.

 

GCM block cipher mode and secure stream ciphers like the ChaCha family are preferred over CBC ciphers.

 

TLS 1.3 available since Airlock WAF 7.2.

[19]
2019 TLS Padding Oracles OpenSSL servers using non-stiched cipher suites without AES-NI support Prioritization of GCM cipher suites. AES-NI and stiched
cipher suite support.
[18]
2018

Bleichenbacher's CAT

Server supporting RSA key exchange All RSA Key exchange ciphers removed with Airlock WAF 7.1 [17]
2017

ROBOT

Bad implementations of TLS cipher modes that use RSA for key exchange. Airlock WAF is not affected because current OpenSSL versions are not affected. [16]
2016

SWEET32

Server supporting 3DES ciphers

3DES is disabled since Airlock WAF 6.1

[6] 
2016

DROWN

Server supporting SSL protocol version 2

SSLv2 is disabled since Airlock WAF 4.2**

[14]
- RC4 attacks Server supporting RC4 ciphers

RC4 is disabled since Airlock WAF 5.3*

[5]

2016 HEIST All TLS server but especially the one with enabled response traffic compression

Same mitigations as for TIME

[7]
2015 logjam

Server supporting Diffie Hellman (DH) ciphers and DH groups with small primes (e.g. 512 bits).

Airlock WAF prevents DH parameters shorter than 1024bit.

[8]
2015 FREAK Server supporting RSA export ciphers RSA export ciphers are disabled since Airlock WAF 4.2** [9]
2014

POODLE

Server supporting SSL protocol version 3 SSLv3 is disabled since Airlock WAF 5.2* [10]
2014

HEARTBLEED

Server with vulnerabile OpenSSL version OpenSSL is fixed since Airlock WAF 5.1* [11]
2013

LUCKY 13

Server with timing oracles in CBC implementation

OpenSSL fix in place
GCM mode preferred over CBC mode

[8]
2013 BREACH Server with enabled HTTP response compression Same as for TIME.  [1]
2013 TIME Server with enabled HTTP response compression HTTP response compression is disabled by default. Mitigation available if compression can not be disabled [15]. [12]
2012 CRIME Server supporting TLS compression TLS compression is disabled by default. [13]
2011 BEAST Server supporting TLS 1.0 with CBC mode ciphers

TLS protocol version 1.1 and 1.2 take priority over TLS 1.0 and GCM mode over CBC mode.

[2]

2002 DHEat attack Server supporting DHE ciphers See [21] [21]

* Hotfixes available for older releases
** We do not consider Airlock WAF releases before 4.2

Client Compatibility

The default SSL/TLS configuration of Airlock WAF provides a good balance between security and client compatibility. Unfortuantly it not possible to support very old clients while preventing all known SSL/TLS attack. The default configuration of Airlock WAF is compatible with all modern clients. The following table shows when and why we dropped support for older browsers.

Dropped Browser Support Airlock Release Reason
Internet Explorer 8 on Windows XP

Airlock WAF 6.1

SWEET32 attack
Internet Explorer 6 

Airlock WAF 5.1 with HF5010
Airlock WAF 5.0 with HF5009
Airlock WAF 4.2.6 with HF4429 

POODLE attack

Recommandations for TLS Server Certificates

Airlock WAF supports RSA server certificates. We do not recommend to configure DSA or ECDSA certificates even if it is possibles with Apache Expert Settings. We recommend to use 2048 bit RSA keys or more and a hashing algorithm like SHA256 or better.

Other Considerations in Airlock WAFs SSL/TLS Default Configuration

Forward Secrecy

Forward Secrecy is a security property provided by ciphers with ephemeral Diffie-Hellman (DHE) key exchange scheme. With Forward Secrecy, attackers cannot decrypt intercepted traffic even if they get hold of the private key used in the session handshake. DHE key exchange is slower than ECDHE (Elliptic curve DHE) key exchange. ECDHE ciphers are available since Airlock 5.0. All modern clients establish a cipher with forward secrecy property with Airlock WAF.

Note that Non-Forward Secrecy ciphers are only vulnerable if your private keys are compromised. However, keeping private keys confidential is crucial even if Forward Secrecy ciphers are used, because an active Man-in-the-Middle attacker can still decrypt the traffic if he knows the private keys during the SSL handshake.

Weak Diffie Hellman Parameter / Java 6

To prevents attacks like logjam, Airlock WAF does not support weak Diffie Hellman parameters (i.e. parameters shorter than 1024 bits). The actual DH parameter size depends on the size of the configured certificate. To support clients based on Java 6 which do not support large DH parameters, Airlock WAF establish a non-DHE cipher (AES128-SHA) with Java 6 clients.

Custom SSL/TLS settings for front-side HTTPS connections

The default cipher suite and other SSL/TLS settings can be overwritten in the Configuration Center with Apache Expert settings. See ciphersuite-configuration.

References

[1] BREACH attack and mitigation
[2] BEAST attack
[3] LUCKY13 attack
[4] Perfect Forward Secrecy in Airlock
[5] RC4 vulnerability
[6] SWEET32 Attack on 3DES Ciphers
[7] Heist attack on TLS/SSL
[8] Logjam attack
[9] SSL Freak attack
[10] POODLE: SSL 3.0 vulnerability
[11] OpenSSL Heardbleed vulnerability
[12] Attack of the week: RC4 is kind of broken in TLS
[13] Wikipedia: CRIME
[14] The DROWN Attack
[15] BREACH attack: Disable compression for cross-origin requests
[16] The ROBOT Attack
[17] The 9 Lives of Bleichenbacher’s
[18] TLS Padding Oracles
[19] Introducing Zombie POODLE and GOLDENDOODLE
[20] Raccoon Attack
[21] Alpaca Attack
[21] DHEat Attack
 
AttachmentSize
Image icon _bleichenbacher.png8.47 KB
Image icon _lucky13-0.png4.4 KB
Image icon _Heartbleed-0.png5.57 KB
Image icon _drown-0.png9.65 KB
Image icon robot.png53.14 KB
Image icon _poodle.gif1.31 KB
Image icon _sweet32-0.png2.92 KB
Image icon _zombie-poodle.jpg4.8 KB
Image icon racoon.png249.25 KB
Image icon _alpaca.png5.24 KB
Knowledge Base Categories: