├── LICENSE
└── README.md


/LICENSE:
--------------------------------------------------------------------------------
 1 | This is free and unencumbered software released into the public domain.
 2 | 
 3 | Anyone is free to copy, modify, publish, use, compile, sell, or
 4 | distribute this software, either in source code form or as a compiled
 5 | binary, for any purpose, commercial or non-commercial, and by any
 6 | means.
 7 | 
 8 | In jurisdictions that recognize copyright laws, the author or authors
 9 | of this software dedicate any and all copyright interest in the
10 | software to the public domain. We make this dedication for the benefit
11 | of the public at large and to the detriment of our heirs and
12 | successors. We intend this dedication to be an overt act of
13 | relinquishment in perpetuity of all present and future rights to this
14 | software under copyright law.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 | 
24 | For more information, please refer to <http://unlicense.org>
25 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | TLS - what can go wrong?
  2 | ========================
  3 | 
  4 | Key generation
  5 | 
  6 |  * [Debian weak keys](https://wiki.debian.org/SSLkeys)
  7 |  * [ROCA](https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
  8 |  * Shared prime factors ([mining ps and qs](https://factorable.net/))
  9 |  * Shared non-private keys (e.g. using default keys shipped with applications)
 10 | 
 11 | RSA encryption handshake
 12 | 
 13 |  * [Bleichenbacher](http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf), [Klima](https://eprint.iacr.org/2003/052), [ROBOT](https://robotattack.org/) etc. attacks
 14 |  * SSLv2 Bleichenbacher attack ([DROWN](https://drownattack.com/))
 15 | 
 16 | RSA signature handshake
 17 | 
 18 |  * [RSA-CRT bug](https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/) / modexp miscalculation (signature generation)
 19 |  * [Bleichenbacher signature forgery](https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html), [BERserk](http://www.c7zero.info/stuff/BERserk_eko10.pdf) (signature verification)
 20 | 
 21 | ECDSA / DSA handshake
 22 | 
 23 |  * Duplicate r (not found in the wild yet)
 24 | 
 25 | Static DH/ECDH handshake
 26 | 
 27 |  * [KCI](https://kcitls.org/)
 28 | 
 29 | Diffie Hellman
 30 | 
 31 |  * [Backdoor parameters](https://eprint.iacr.org/2016/644), some detectable (e.g. non-prime modulus), others not
 32 |  * [Logjam](https://weakdh.org/) (paper describes multiple attacks), too small parameters
 33 |  * [Ephemeral key reuse with small subgroup parameters](https://www.openssl.org/news/secadv/20160128.txt)
 34 |  * [DH/ECDH parameter confusion](https://www.cosic.esat.kuleuven.be/publications/article-2216.ps)
 35 | 
 36 | ECDHE
 37 | 
 38 |  * [Curveswap](https://eprint.iacr.org/2018/298.pdf)
 39 |  * [Invalid Curve attack](https://web-in-security.blogspot.com/2015/09/practical-invalid-curve-attacks.html) / ephemeral key reuse
 40 | 
 41 | Finished message
 42 | 
 43 |  * Lack of check, also partial lack of check, [Poodle has friends](https://yngve.vivaldi.net/2015/07/14/the-poodle-has-friends/)
 44 | 
 45 | CBC/HMAC
 46 | 
 47 |  * [BEAST](https://www.youtube.com/watch?v=-BjpkHCeqU0)
 48 |  * [Vaudenay's Padding Oracle](https://iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.ps) (impractical due to encrypted error messages)
 49 |  * [Canvel's timing oracle](https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf)
 50 |  * [Lucky Thirteen](http://www.isg.rhul.ac.uk/tls/Lucky13.html), [Lucky Microseconds](https://eprint.iacr.org/2015/1129)
 51 |  * [LuckyMinus20](https://web-in-security.blogspot.com/2016/05/curious-padding-oracle-in-openssl-cve.html) (CVE-2016-2107)
 52 |  * [POODLE](https://www.openssl.org/~bodo/ssl-poodle.pdf) (SSLv3)
 53 |  * Lack of padding check in TLS 1.0 and later ([POODLE-TLS](https://www.imperialviolet.org/2014/12/08/poodleagain.html))
 54 |  * Partial padding checks, [More POODLEs in the forest](https://yngve.vivaldi.net/2015/07/14/there-are-more-poodles-in-the-forest/)
 55 |  * MACE / Lack of HMAC check, also partial checks [Poodle has friends](https://yngve.vivaldi.net/2015/07/14/the-poodle-has-friends/)
 56 | 
 57 | GCM
 58 | 
 59 |  * Duplicate or random nonces ([Forbidden attack](http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf), [Nonce-disrespecting adversaries](https://github.com/nonce-disrespect/nonce-disrespect))
 60 |  * Lack of ghash check (not found in the wild yet)
 61 | 
 62 | Small block size
 63 | 
 64 |  * [Sweet32](https://sweet32.info/)
 65 | 
 66 | RC4
 67 | 
 68 |  * [RC4 Biases](http://www.isg.rhul.ac.uk/tls/), cipher design problem, unfixable
 69 | 
 70 | Compression
 71 | 
 72 |  * [CRIME](https://en.wikipedia.org/wiki/CRIME) (TLS compression)
 73 |  * [BREACH](http://breachattack.com/) (HTTP compression)
 74 |  * [TIME](https://www.blackhat.com/eu-13/briefings.html#Beery), [HEIST](https://www.blackhat.com/us-16/briefings/schedule/#heist-http-encrypted-information-can-be-stolen-through-tcp-windows-3379) (TCP window trick, Javascript, timing + HTTP compression)
 75 | 
 76 | State machine errors
 77 | 
 78 |  * [SMACK](https://mitls.org/pages/attacks/SMACK), SkipTLS
 79 |  * [FREAK](https://censys.io/blog/freak)
 80 |  * [CCS Injection](http://ccsinjection.lepidum.co.jp/)
 81 | 
 82 | HTTP/HTTPS related
 83 | 
 84 |  * [SSL Stripping](https://moxie.org/software/sslstrip/)
 85 |  * Insecure redirects (e.g. https:// -> http://www. -> https://www.)
 86 | 
 87 | Parsing and validation logic issues
 88 | 
 89 |  * [Heartbleed](http://heartbleed.com/)
 90 |  * [STARTTLS command injection](https://www.kb.cert.org/vuls/id/555316/)
 91 |  * Version intolerance, large handshake intolerance, middlebox breakage, ...
 92 |  * [Frankencerts](https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf#page=11)
 93 |  * [goto fail](https://www.imperialviolet.org/2014/02/22/applebug.html)
 94 | 
 95 | Sidechannels
 96 | 
 97 |  * [Timing side channel](https://users.ece.cmu.edu/~dbrumley/pdf/Brumley,%20Boneh_2003_Remote%20timing%20attacks%20are%20practical.pdf) allowing remote key recovery
 98 |  * Timing side channels against symmetric ciphers ([AES](https://cr.yp.to/antiforgery/cachetiming-20050414.pdf))
 99 |  * [Timing side channel](https://eprint.iacr.org/2011/232) allowing remote key recovery
100 |  * CPU cache side channels allowing private key recovery across processes/VMs ([PortSmash (ECDSA and DSA keys)](https://eprint.iacr.org/2018/1060), [CVE-2018-0737 (RSA keys)](https://www.openssl.org/news/secadv/20180416.txt))
101 | 
102 | Others
103 | 
104 |  * [Insecure Renegotiation](https://tools.ietf.org/html/rfc5746)
105 |  * [Triple Handshake](https://www.mitls.org/pages/attacks/3SHAKE)
106 |  * [Virtual Host Confusion](https://bh.ht.vc/vhost_confusion.pdf)
107 |  * [Cookie cutter](https://hal.inria.fr/hal-01102259/file/triple-handshakes-and-cookie-cutters-oakland14.pdf)
108 |  * [SLOTH](https://www.mitls.org/pages/attacks/SLOTH)
109 |  * Carry propagation bugs / math bugs (can cause RSA-CRT bug, [Squeezing a key through a carry bit](https://www.youtube.com/watch?v=HaUtPd-x7VM))
110 | 


--------------------------------------------------------------------------------