Downgrade attack
{{Short description|Cryptographic attack that forces the use of weaker or no encryption}}
{{Use American English|date=September 2022}}
{{Use dmy dates|date=September 2022}}
{{more citations needed|date=September 2016}}
A downgrade attack, also called a bidding-down attack,{{cite web |title=Security Implications of 5G Networks |url=https://cltc.berkeley.edu/wp-content/uploads/2020/09/Security_Implications_5G.pdf |website=U C Berkeley Center for Long-Term Cybersecurity |access-date=24 November 2021}} or version rollback attack, is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation (e.g. cleartext) that is typically provided for backward compatibility with older systems.{{Cite web|url=https://www.oxfordreference.com/view/10.1093/oi/authority.20110803115542705|title=Version rollback attack}} An example of such a flaw was found in OpenSSL that allowed the attacker to negotiate the use of a lower version of TLS between the client and server.{{Cite web|url = https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack|title = Man-in-the-Middle TLS Protocol Downgrade Attack|last = Praetorian|website = Praetorian|date = 19 August 2014|language = en-US|access-date = 13 April 2016}} This is one of the most common types of downgrade attacks. Opportunistic encryption protocols such as STARTTLS are generally vulnerable to downgrade attacks, as they, by design, fall back to unencrypted communication. Websites which rely on redirects from unencrypted HTTP to encrypted HTTPS can also be vulnerable to downgrade attacks (e.g., sslstrip), as the initial redirect is not protected by encryption.{{Cite web |last=Mutton |first=Paul |date=2016-03-17 |title=95% of HTTPS servers vulnerable to trivial MITM attacks {{!}} Netcraft |url=https://www.netcraft.com/blog/95-of-https-servers-vulnerable-to-trivial-mitm-attacks/ |access-date=2023-12-11 |website=www.netcraft.com |language=en-US}}
Attack
Downgrade attacks are often implemented as part of a man-in-the-middle (MITM) attack, and may be used as a way of enabling a cryptographic attack that might not be possible otherwise.{{Cite web |title=Downgrade attack |url=https://encyclopedia.kaspersky.com/glossary/downgrade-attack/ |access-date=2023-09-05 |website=encyclopedia.kaspersky.com}} Downgrade attacks have been a consistent problem with the SSL/TLS family of protocols; examples of such attacks include the POODLE attack.
Downgrade attacks in the TLS protocol take many forms.
{{cite conference
| title = What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS
| author = Alashwali, E. S. and Rasmussen, K.
| year = 2018
| conference = 4th Int. Workshop on Applications and Techniques in Cyber Security (ATCS) co-located with 14th Int. Conf. in Security and Privacy in Communication Networks (SecureComm)
| publisher = Springer
| pages = 469–487
| arxiv = 1809.05681
}}
Researchers have classified downgrade attacks with respect to four different vectors, which represents a framework to reason about downgrade attacks as follows:
{{cite conference
| title = What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS
| author = Alashwali, E. S. and Rasmussen, K.
| year = 2018
| conference = 4th Int. Workshop on Applications and Techniques in Cyber Security (ATCS) co-located with 14th Int. Conf. in Security and Privacy in Communication Networks (SecureComm)
| publisher = Springer
| pages = 469–487
| arxiv = 1809.05681
}}
{{ordered list
| The protocol element that is targeted {{unordered list
| Algorithm
| Version
| Layer
}}
| The type of vulnerability that enables the attack {{unordered list
| Implementation
| Design
| Trust-model
}}
| The attack method {{unordered list
| Dropping
| Modification
| Injection
}}
| The level of damage that the attack causes {{unordered list
| Broken Security
| Weakened Security
}}
}}
There are some recent proposals
{{cite conference
| title = On the Feasibility of Fine-Grained TLS Security Configurations in Web Browsers Based on the Requested Domain Name
| author = Alashwali, E. S. and Rasmussen, K.
| year = 2018
| conference = 14th Int. Conf. in Security and Privacy in Communication Networks (SecureComm)
| publisher = Springer
| pages = 213–228
| arxiv = 1809.05686
{{cite conference
| title = DSTC: DNS-based Strict TLS Configurations
| author = Alashwali, E. S. and Szalachowski, P.
| year = 2018
| conference = 13th Int. Conf. on Risks and Security of Internet and Systems (CRISIS)
| publisher = Springer
| arxiv = 1809.05674
}}
that exploit the concept of prior knowledge to enable TLS clients (e.g. web browsers) to protect sensitive domain names against certain types of downgrade attacks that exploit the clients' support for legacy versions or non-recommended ciphersuites (e.g. those that do not support forward secrecy or authenticated encryption) such as the POODLE, ClientHello fragmentation,{{cite web
| url = https://ldapwiki.com/wiki/ClientHello
| author = ldapwiki
| title = ClientHello
| access-date = 30 January 2019
| archive-date = 17 March 2020
| archive-url = https://web.archive.org/web/20200317194703/https://ldapwiki.com/wiki/ClientHello
| url-status = dead
{{cite conference
| url = https://hal.inria.fr/hal-01295035/document
| title = FLEXTLS A Tool for Testing TLS Implementations
| author = Beurdouche, B., Delignat-Lavaud, A., Kobeissi, N., Pironti, A., Bhargavan, K.
| year = 2015
| conference = 9th USENIX Workshop on Offensive Technologies ({WOOT} 15
| publisher = USENIX
| access-date = 30 January 2019
}}
and a variant of the DROWN (aka "the special drown") downgrade attacks.{{Clarify|date=June 2021}}
Removing backward compatibility is often the only way to prevent downgrade attacks. However, sometimes the client and server can recognize each other as up-to-date in a manner that prevents them. For example, if a Web server and user agent both implement HTTP Strict Transport Security and the user agent knows this of the server (either by having previously accessed it over HTTPS, or because it is on an "HSTS preload list"{{cite web
| url = https://www.chromium.org/sts
| author = Adam Langley
| title = Strict Transport Security
| work = The Chromium Projects
| date = 8 July 2010
| access-date = 22 July 2010
| url = https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
| author = David Keeler
| title = Preloading HSTS
| date = 1 November 2012
| access-date = 6 February 2014
| work = Mozilla Security Blog
}}{{cite web | url= http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx | title = HTTP Strict Transport Security comes to Internet Explorer | access-date=16 February 2015 |author1=Bell, Mike |author2=Walp, David | date=16 February 2015}}), then the user agent will refuse to access the site over vanilla HTTP, even if a malicious router represents it and the server to each other as not being HTTPS-capable.
See also
References
{{Reflist}}
{{Portal bar|Internet}}
Category:Backward compatibility
Category:Computer network security
Category:Cryptographic attacks