You are here
Attacks on TLS and Airlock Gateway Protection Mechanisms
Last update on 21. October 2022 - 14:45.
The following list shows some major attack vectors on SSL/TLS and describes how the default configuration of Airlock WAF protects.
| Public Disclosure | Attack | Affected Server | Airlock WAF Attack Mitigaton | Ref. |
| 2021 |
ALPACA Attack
|
TLS services like https, ftps, imaps etc. sharing a compatible TLS certificate and not validating SNI and ALPN fields. |
Airlock Gateway strictly validates SNI and uses ALPN. | [21] |
| 2020 |
Raccoon
|
Server supporting DH(E) key exchange reusing DH share and TLS version <= 1.2 |
DH shares are not reused. | [20] |
| 2019 |
|
Certain TLS 1.0 - 1.2 implementations using CBC block cipher mode |
The OpenSSL version used by Airlock WAF is not affected.
GCM block cipher mode and secure stream ciphers like the ChaCha family are preferred over CBC ciphers.
TLS 1.3 available since Airlock WAF 7.2. |
[19] |
| 2019 | TLS Padding Oracles | OpenSSL servers using non-stiched cipher suites without AES-NI support | Prioritization of GCM cipher suites. AES-NI and stiched cipher suite support. |
[18] |
| 2018 |
Bleichenbacher's CAT |
Server supporting RSA key exchange | All RSA Key exchange ciphers removed with Airlock WAF 7.1 | [17] |
| 2017 |
ROBOT |
Bad implementations of TLS cipher modes that use RSA for key exchange. | Airlock WAF is not affected because current OpenSSL versions are not affected. | [16] |
| 2016 |
SWEET32 |
Server supporting 3DES ciphers |
3DES is disabled since Airlock WAF 6.1 |
[6] |
| 2016 |
DROWN |
Server supporting SSL protocol version 2 |
SSLv2 is disabled since Airlock WAF 4.2** |
[14] |
| - | RC4 attacks | Server supporting RC4 ciphers |
RC4 is disabled since Airlock WAF 5.3* |
[5] |
| 2016 | HEIST | All TLS server but especially the one with enabled response traffic compression |
Same mitigations as for TIME |
[7] |
| 2015 | logjam |
Server supporting Diffie Hellman (DH) ciphers and DH groups with small primes (e.g. 512 bits). |
Airlock WAF prevents DH parameters shorter than 1024bit. |
[8] |
| 2015 | FREAK | Server supporting RSA export ciphers | RSA export ciphers are disabled since Airlock WAF 4.2** | [9] |
| 2014 |
POODLE |
Server supporting SSL protocol version 3 | SSLv3 is disabled since Airlock WAF 5.2* | [10] |
| 2014 |
HEARTBLEED |
Server with vulnerabile OpenSSL version | OpenSSL is fixed since Airlock WAF 5.1* | [11] |
| 2013 |
LUCKY 13 |
Server with timing oracles in CBC implementation |
OpenSSL fix in place |
[8] |
| 2013 | BREACH | Server with enabled HTTP response compression | Same as for TIME. | [1] |
| 2013 | TIME | Server with enabled HTTP response compression | HTTP response compression is disabled by default. Mitigation available if compression can not be disabled [15]. | [12] |
| 2012 | CRIME | Server supporting TLS compression | TLS compression is disabled by default. | [13] |
| 2011 | BEAST | Server supporting TLS 1.0 with CBC mode ciphers |
TLS protocol version 1.1 and 1.2 take priority over TLS 1.0 and GCM mode over CBC mode. |
[2] |
| 2002 | DHEat attack | Server supporting DHE ciphers | See [21] | [21] |
* Hotfixes available for older releases
** We do not consider Airlock WAF releases before 4.2
Client Compatibility
The default SSL/TLS configuration of Airlock WAF provides a good balance between security and client compatibility. Unfortuantly it not possible to support very old clients while preventing all known SSL/TLS attack. The default configuration of Airlock WAF is compatible with all modern clients. The following table shows when and why we dropped support for older browsers.
| Dropped Browser Support | Airlock Release | Reason |
| Internet Explorer 8 on Windows XP |
Airlock WAF 6.1 |
SWEET32 attack |
| Internet Explorer 6 |
Airlock WAF 5.1 with HF5010 |
POODLE attack |
Recommandations for TLS Server Certificates
Airlock WAF supports RSA server certificates. We do not recommend to configure DSA or ECDSA certificates even if it is possibles with Apache Expert Settings. We recommend to use 2048 bit RSA keys or more and a hashing algorithm like SHA256 or better.
Other Considerations in Airlock WAFs SSL/TLS Default Configuration
Forward Secrecy
Forward Secrecy is a security property provided by ciphers with ephemeral Diffie-Hellman (DHE) key exchange scheme. With Forward Secrecy, attackers cannot decrypt intercepted traffic even if they get hold of the private key used in the session handshake. DHE key exchange is slower than ECDHE (Elliptic curve DHE) key exchange. ECDHE ciphers are available since Airlock 5.0. All modern clients establish a cipher with forward secrecy property with Airlock WAF.
Note that Non-Forward Secrecy ciphers are only vulnerable if your private keys are compromised. However, keeping private keys confidential is crucial even if Forward Secrecy ciphers are used, because an active Man-in-the-Middle attacker can still decrypt the traffic if he knows the private keys during the SSL handshake.
Weak Diffie Hellman Parameter / Java 6
To prevents attacks like logjam, Airlock WAF does not support weak Diffie Hellman parameters (i.e. parameters shorter than 1024 bits). The actual DH parameter size depends on the size of the configured certificate. To support clients based on Java 6 which do not support large DH parameters, Airlock WAF establish a non-DHE cipher (AES128-SHA) with Java 6 clients.
Custom SSL/TLS settings for front-side HTTPS connections
The default cipher suite and other SSL/TLS settings can be overwritten in the Configuration Center with Apache Expert settings. See ciphersuite-configuration.
References
[1] BREACH attack and mitigation [2] BEAST attack[3] LUCKY13 attack
[4] Perfect Forward Secrecy in Airlock
[5] RC4 vulnerability [6] SWEET32 Attack on 3DES Ciphers [7] Heist attack on TLS/SSL [8] Logjam attack [9] SSL Freak attack [10] POODLE: SSL 3.0 vulnerability [11] OpenSSL Heardbleed vulnerability [12] Attack of the week: RC4 is kind of broken in TLS [13] Wikipedia: CRIME [14] The DROWN Attack [15] BREACH attack: Disable compression for cross-origin requests [16] The ROBOT Attack [17] The 9 Lives of Bleichenbacher’s [18] TLS Padding Oracles [19] Introducing Zombie POODLE and GOLDENDOODLE [20] Raccoon Attack [21] Alpaca Attack [21] DHEat Attack
| Attachment | Size |
|---|---|
 _bleichenbacher.png | 8.47 KB |
| _lucky13-0.png | 4.4 KB |
| _Heartbleed-0.png | 5.57 KB |
| _drown-0.png | 9.65 KB |
| robot.png | 53.14 KB |
| _poodle.gif | 1.31 KB |
| _sweet32-0.png | 2.92 KB |
| _zombie-poodle.jpg | 4.8 KB |
| racoon.png | 249.25 KB |
| _alpaca.png | 5.24 KB |