19-Year-Old TLS Vulnerability Weakens Modern Website Crypto

New research shows how an old vulnerability called ROBOT can be exploited using an adaptive chosen-ciphertext attack to reveal the plaintext for a given TLS session.

A vulnerability called ROBOT, first identified in 1998, has resurfaced. Impacted are leading websites ranging from Facebook to Paypal, which are vulnerable to attackers that could decrypt encrypted data and sign communications using the sites’ own private encryption key.

The vulnerability is found in the transport layer security protocol used for Web encryption. A successful attack could allow an attacker to passively record traffic and later decrypt it or open the door for a man-in-the-middle attack, according to researchers.

ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat, was named after Daniel Bleichenbacher, the researcher who originally discovered it almost two decades ago. The version of ROBOT discovered recently was through Facebook’s bug bounty program, which paid an undisclosed reward to researchers Hanno Böck, Juraj Somorovsky and Craig Young who published their findings Tuesday.

The vulnerability is tied to the TLS protocol and a flaw in the algorithm that handles RSA encryption keys. The attack involves using specially crafted queries designed to generate errors on TLS servers that use RSA encryption to protect communications between a user’s browser and a website.

The attack involves sending crafted queries that generate “yes” or “no” answers in a type of brute-force guessing attack. Using this technique, called an adaptive chosen-ciphertext attack, over time can force the TLS server to reveal the session key. That allows an attacker to then decrypt HTTPS traffic sent between the TLS server and the user’s browser.

This is same technique used to exploit Bleichenbacher’s ROBOT vulnerability in 1998.

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption,” researchers wrote. “We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”

The original ROBOT patch did not include replacing the insecure RSA algorithm; rather the TLS standard was modified to make brute-force guessing exponentially harder.

“After Bleichenbacher’s original attack the designers of TLS decided that the best course of action was to keep the vulnerable encryption modes and add countermeasures. Later research showed that these countermeasures were incomplete leading the TLS designers to add more complicated countermeasures,” researchers wrote. “The section on Bleichenbacher countermeasures in the latest TLS 1.2 standard ( is incredibly complex. It is not surprising that these workarounds aren’t implemented correctly.”

Since the original ROBOT patch, variations of the vulnerability have surfaced. In March 2016, a TLS vulnerability related to ROBOT called DROWN exposes 33 percent of HTTPS connections to attack.

What researchers revealed on Tuesday was that a number of vendors failed to properly implement countermeasures used to protect against attacks that take advantage of the ROBOT vulnerability.

“We have identified vulnerable implementations from at least seven vendors including F5, Citrix, and Cisco,” researchers wrote. “Some of the most popular webpages on the Internet were affected, including Facebook and Paypal. In total, we found vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa.”

The United States Computer Emergency Readiness Team issued a security bulletin on the vulnerability Tuesday and lists eight vendors affected.

On Tuesday, Cisco issued an advisory for the vulnerability it rated as medium. It said multiple Cisco products are affected such as the Cisco ACE 4710 Application Control Engine Appliance and the Cisco ACE30 Application Control Engine Module.

Facebook and Paypal each issued patches in October.

Researchers offer of number of stopgap mitigation solutions in its research along with offering a testing tool for public HTTPS servers, as well as a Python tool to test for the vulnerability.

Suggested articles