Facebook, PayPal and other popular websites are at risk from a cryptography flaw in the transport layer security (TLS) protocol that could enable attackers to decrypt communications and traffic.
The flaw goes back almost two decades to 1998 when cryptographer Daniel Bleichenbacher discovered a weakness in how the public key cryptography standard (PKCS ) 1.15, used with TLS, handles error messages.
Bleichenbacher found that padding in the error messages for PKCS 1.15 allowed for an arbitrary ciphertext attack.
Now European researchers have devised a minor variant of the older attack that they have named the Return of Bleichenbacher's Oracle Threat (ROBOT).
This attack "fully breaks the confidentiality of TLS when used with RSA encryption", researchers Hanno Böck, Jurau Somorovsky and Craig Young wrote.
As a proof of concept, they were able to exploit the vulnerability to sign a test message with Facebook's private encryption key.
"For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it," Böck, Somorovsky and Young said.
So far, Cisco, Citrix, F5, Radware, and API library Bouncy Castle have patched for the vulnerability, with Oracle, Erlang, WolfSSL, and MatrixSSL also issuing updates.
Even perfect forward secrecy - which protects against decryption of past communications if future keys are compromised - might not protect against a ROBOT attack, the trio said.
Hosts that continue to support the vulnerable RSA encryption may be still be at risk if an attacker can act quickly by impersonating servers or being in a man-in-the-middle position to intercept traffic - such a scenario is possible but "more challenging", the security researchers said.
They recommended disabling RSA encryption to mitigate the attack.
"ROBOT only affects TLS cipher modes that use RSA encryption," the trio said.
"Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures.
"We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
"By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack."
