TLS Protocol 1.2 Vulnerable to Raccoon Attack

Recently, a team of researchers discovered a vulnerability with all versions of the SSL and TLS 1.2 and prior protocols with the exception of TLS 1.3. The vulnerability is called Raccoon and the researchers have provided this paper on their analysis and their conclusions for the broader lessons on cryptographic protocols.

Raccoon exploits a timing vulnerability in the impacted TLS and SSL protocols that could allow an attacker to break the encryption and read sensitive client/server communications such as passwords and credit card numbers. Since a server’s private key is not vulnerable to Raccoon, TLS certificates do not need to be reissued.

The root cause is that TLS/SSL standards allow non-constant-time processing of the Diffie-Helman (DH) secret. The issue is the resulting premaster secret used as an input into the key derivation function, which is based on hash functions with different timing profiles. Precise timing measurements may enable an attacker to construct a message from a TLS server. The attack details can be reviewed in the researcher’s paper.

Fortunately, Raccoon has some constraints, which make it hard to exploit. In order for a Racoon attack to take place, the following parameters must be in use:

• TLS 1.2 or prior
• Cipher suite must use DH or DHE
• Server must use static DH cipher suites OR the server uses DHE and reuses ephemeral keys for multiple connections
• The attacker must be close to the target server to perform high precision timing measurements

What Can a Server Administrator Do?

First, test your server with Entrust SSL Server Test to see if it may be vulnerable to a Raccoon attack. There may be an issue if “DH public server param (Ys) reuse” says “yes”. If this is the case, drop support for DH and DHE cipher suites. This will also help to ensure that your server will support Forward Secrecy which mitigates pervasive surveillance.

You should also limit the TLS and SSL protocols supported in your environment. In 2018, I published this browsers are deprecating TLS 1.0 and 1.1. Also note that all versions of SSL have already been deprecated. As a result, in order to get maximum browser support, you should only support TLS 1.2 and 1.3.

Unfortunately, although widely used, TLS 1.2 is over 12 years old and is now vulnerable to attacks including: POODLE, GOLDENDOODLE and now Raccoon. Note that the Entrust SSL Server Test will also indicate whether you are vulnerable to POODLE and GOLDENDOODLE. Here’s the good news: The TLS ecosystem can help you mitigate a Raccoon attack, and even better, more than 50 percent of servers support TLS 1.3. I highly recommend you ensure your servers support TLS 1.3.

What Can a Browser User Do?

Nothing, other than to continue to use your modern browser which supports TLS 1.3 and does not support DH and DHE cipher suites.