Crashtest Security Blog

Who likes the ROBOT?

Dec 16, 2017 8:27:00 AM / by Janosch Maier

We don't...

A new attack on the standard of encrypting web traffic just got a new famous vulnerability. In fact the vulnerability is nothing really new. Just something from 1998 that reappeared. The original vulnerability was found by cryptographer Daniel Bleichenbacher. Therefore the new version is called "Return of Bleichenbacher's Padding Oracle" — ROBOT.

 

The problem of the vulnerability is that the RSA algorithm stops at different times during its execution if certain error conditions are met. An attacker can use this to craft a specific request. With multiple of such requests he can decrypt traffic sent to and from the website.

To keep you safe, we have already updated our scanners. Effective immediately, you will see it in the dashboard if you are vulnerable. If you have not yet tested whether you are vulnerable for ROBOT (and dozens of other vulnerabilities), help yourself and get a free account on https://www.crashtest.cloud

Sources:

 

Topics: VulnerabilityAssessment

Janosch Maier

Written by Janosch Maier

Co-Founder @ Crashtest Security. I write and give workshops regarding Web Security