Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Wednesday October 21 2015, @07:46PM   Printer-friendly
from the what-are-you,-hourly? dept.

Just recently, I moved my personal website to HTTPS, making sure to use a secure 2048-bit RSA key and TLS 1.2, and guarding against vulnerabilities such as POODLE and Logjam. It took some work, but not that much work, even for doing the research. Yet there are some people who just don't care.

Due to a new technique, 512-bit keys are now completely vulnerable for as little as $75.

The technique, which uses Amazon's EC2 cloud computing service, is described in a paper published last week titled Factoring as a Service .

[...] The researchers concluded that despite widespread awareness that 512-bit keys are highly susceptible to breaking, the message still hasn't adequately sunk in with many administrators. The researchers wrote:

512-bit RSA has been known to be insecure for at least fifteen years, but common knowledge of precisely how insecure has perhaps not kept pace with modern technology. We build a system capable of factoring a 512-bit RSA key reliably in under four hours. We then measure the impact of such a system by surveying the incidence of 512-bit RSA in our modern cryptographic infrastructure, and find a long tail of too-short public keys and export-grade cipher suites still in use in the wild. These numbers illustrate the challenges of keeping an aging Internet infrastructure up to date with even decades-old advances in cryptanalysis.

The article reports finding a significant number of sites that are still using 512-bit RSA keys to protect HTTPS, DNSSEC, ssh, e-mail (SMTP, POP3, and IMAP), and other services.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by VLM on Wednesday October 21 2015, @08:23PM

    by VLM (445) Subscriber Badge on Wednesday October 21 2015, @08:23PM (#252904)

    A lot of debate about the definition of "completely broken".

    Try to write an exploit for a TLS connection where factoring a 512 bit key takes 4 hours. That will be a very patient user who clicks on a link and waits for hours for your MITM to F with them.

    There's a lot of cool things you can do with crypto. Keep stuff secret for all eternity with a 4096 bit key, well, maybe not a 512 bit key, only a couple hours. Then again there are plenty of applications where data only has to be kept secret for 4 hours so it doesn't matter.

    On the target side, a couple hundred DNSSEC domains almost smells honey-pot-ish. I'm not sure DNSSEC is useful anyway. If the NSA and ten other world governments pown all endpoints, whats the point of securing traffic in between... And the point of DNSSEC is to make it a waste of time for ISPs to DNS-jack their users, so a success rate of 100% or 99.9999% isn't going to matter or suddenly make DNS-jacking a financially valid business plan for ISPs to screw their customers. Especially because if they implement DNS jacking for advertising, the few 512 bit sites will fix that in about ten minutes. DNSSEC isn't an active security system its more like strategic deterrence like MAD-strategy for nuke bombs.

    Its about the same with HTTP. Sure about 1% of sites are vulnerable but the .gov of the world already own both sides of all conversations so they don't care, and ISPs wanting to ad inject aren't financially viable at 0.4% vulnerability or whatever.

    A strategic deterrent that works half the time is fine. Sure go ahead and attack us by MITM injecting ads and stuff, LOL, half the internet will stop working and half your customers will simultaneously call and start complaining. You can't pown that strategic deterrent by failing 0.04% of the time due to weird misconfiguration.

    It all boils down to who EXACTLY is your threat model, and how do you realistically think this would help?

    The one situation where people are in fact totally screwed is you have classified data on a thumb drive encrypted with a 512 bit key and you lose the drive, well, now you're totally screwed, unlike if you had used 4096 bits or whatever. But that's exactly what the article isn't talking about.

    I suspect a significant fraction of the 512 bit transport layer users are misconfigurations or they got powned by someone to intentionally reconfigure weakly because they want in or intentionally misconfigured to manufacture a scandal or fall guy, but some fraction are pure honeypots and those would be fascinating to study. There's only a couple hundred vulnerable keys to research in detail...

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 21 2015, @08:29PM

    by Anonymous Coward on Wednesday October 21 2015, @08:29PM (#252905)

    Unless they are using a new key with every connection (ie perfect forward secrecy), the attacker simply needs to start factoring at least 4 hours before the user uses the service.

    • (Score: 2) by VLM on Wednesday October 21 2015, @08:44PM

      by VLM (445) Subscriber Badge on Wednesday October 21 2015, @08:44PM (#252913)

      That is true AC and as you'd expect its possible to configure TLS to not use PFS and as you'd expect a fraction of admins fail (about 20% last I heard)

      If you do Diffie Hellman right, it'll work. And as you'd expect its possible to do it wrong, given a yes/no security option about half of noobs guess wrong, etc.

      There's a hell of a good book titled "Bulletproof SSL and TLS" that is officially VLM recommended that is a touch dry but goes into more detail than I can remember on this general topic.

      Also see: (same guy, this is kind of like a BGP looking glass for TLS/SSL... type in a domain, learn all about it)

      https://www.ssllabs.com/ [ssllabs.com]

      • (Score: 3, Informative) by VLM on Wednesday October 21 2015, @08:57PM

        by VLM (445) Subscriber Badge on Wednesday October 21 2015, @08:57PM (#252917)

        Whoops forgot to add this entertaining link (as you could guess I would do):

        https://www.ssllabs.com/ssltest/analyze.html?d=soylentnews.org&latest [ssllabs.com]

        Nice job guys "A" grades on both ipv4 and ipv6

        You guys properly listed ECDHE and DHE first before the others so if the client supports PFS, they'll preferentially get PFS. Nice job removing RC4 too.

        I've been around and I've seen a lot of F'ed up stuff in my days, worse than goatse even, and I'm not just kissing up to the ops by telling other people that SN is one of the best technically admined sites on the internet.

  • (Score: 2) by darkfeline on Thursday October 22 2015, @02:07AM

    by darkfeline (1030) on Thursday October 22 2015, @02:07AM (#253046) Homepage

    No, it's four hours, one time, to compromise every single user of that site, forever, until the site makes and installs a new certificate.

    I think that qualifies as "completely broken".

    --
    Join the SDF Public Access UNIX System today!