www.htmlyse.com - Home

Test DNS, SSL/TLS, HTTP and HTML

Test results for robotattack.org

Scanned on: Tue Oct 9 06:57:22 2018 GMT. Tested in 121 seconds

DNS Report

DNSSEC                 not offered
Zone transfer (AXFR)   not allowed (OK)
CAA Record             offered (OK)
SPF Record             offered (OK)
DMARC Record           not offered
MTA-STS                not offered
TLSRPT Record          not offered

Raw DNS Records

Name TTL Type Data
robotattack.org 3600 SOA ns1.schokokeks-dns.de hostmaster @ schokokeks.org 2018100700 36000 3600 1209600 3600
robotattack.org 3600 NS ns1.schokokeks-dns.de, IPv4: 178.63.68.96, IPv6: 2a01:4f8:121:1ffe:1:0:0:2
robotattack.org 3600 NS ns2.schokokeks-dns.de, IPv4: 94.130.248.104, IPv6: 2a01:4f8:13b:1907:1:0:0:2
robotattack.org 3600 NS ns3.schokokeks-dns.de, IPv4: 37.120.167.100
robotattack.org 3600 A 178.63.68.96
robotattack.org 3600 AAAA 2a01:4f8:121:1ffe:1:1749:0:1467
robotattack.org 3600 CAA 0 issue letsencrypt.org
robotattack.org 3600 MX 100 zucker.schokokeks.org
robotattack.org 3600 TXT v=spf1 a mx include:_spf.schokokeks-dns.de -all
www.robotattack.org 3600 A 178.63.68.96
www.robotattack.org 3600 AAAA 2a01:4f8:121:1ffe:1:1749:0:1467

SSL/TLS Report

 Further IP addresses:   2a01:4f8:121:1ffe:1:1749:0:1467 
 A record via            supplied IP "178.63.68.96"
 rDNS (178.63.68.96):    zucker.schokokeks.org.
 Service detected:       HTTP


 SSL/TLS protocols 
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered -- downgraded
 NPN/SPDY   not offered
 ALPN/HTTP2 h2, http/1.1 (offered)

 SSL/TLS server implementation bugs 

 No bugs found.

 Cipher categories 

 NULL ciphers (no encryption)                  not offered (OK) -- NULL:eNULL
 Anonymous NULL Ciphers (no authentication)    not offered (OK) -- aNULL:ADH
 Export ciphers (w/o ADH+NULL)                 not offered (OK) -- EXPORT:!ADH:!NULL
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK) -- LOW:DES:!ADH:!EXP:!NULL
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK) -- MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES
 Triple DES Ciphers (Medium)                   not offered (OK) -- 3DES:!aNULL:!ADH
 High encryption (AES+Camellia, no AEAD)       offered (OK) -- HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM
 Strong encryption (AEAD ciphers)              offered (OK) -- AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM


 Robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 
                              ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA 
                              DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 
                              DHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 
                              ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA 
                              DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 
                              DHE-RSA-AES128-SHA 
 Elliptic curves offered:     prime256v1 secp384r1 


 Server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA 
               DHE-RSA-AES128-SHA 
    TLSv1.1:   ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA 
               DHE-RSA-AES128-SHA 
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 
               ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 
               ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA 
               DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 
               ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA 


 Server defaults (Server Hello) 

 TLS extensions (standard)    "server name/#0" "renegotiation info/#65281"
                              "EC point formats/#11" "session ticket/#35"
                              "status request/#5"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint 300 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        03318AF875F6987453F1686F2239C3BD84F9 / SHA1 6BB93D29D165AD1C498D93239484183DD9963751
                              SHA256 DB1C44A882BA740B7C7D4D5C599D5E0A06BE2C8094DDF95B3CA402C962F0D2FE
 Common Name (CN)             www.robotattack.org (CN in response to request w/o SNI: zucker.schokokeks.org)
 subjectAltName (SAN)         robotattack.org www.robotattack.org 
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN (SNI mandatory)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 Certificate Validity (UTC)   85 >= 30 days (2018-10-04 23:03 --> 2019-01-02 22:03)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    available - please check for match with "Issuer" above: issue=letsencrypt.org
 Certificate Transparency     yes (certificate extension)


 HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              +1 sec from localtime
 Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                Apache
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             X-XSS-Protection 1; mode=block
                              X-Content-Type-Options nosniff
                              Content-Security-Policy block-all-mixed-content;default-src 'self'
                              https://robotattack.org;
                              Upgrade h2
 Reverse Proxy banner         --


 SSL/TLS vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     Server does not support any cipher suites that use RSA key transport
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=DB1C44A882BA740B7C7D4D5C599D5E0A06BE2C8094DDF95B3CA402C962F0D2FE
                                           could help you to find out
 LOGJAM (CVE-2015-4000), experimental      Common prime with 2048 bits detected: 
                                           RFC3526/Oakley Group 14,
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES256-SHA
                                                 DHE-RSA-AES256-SHA
                                                 ECDHE-RSA-AES128-SHA
                                                 DHE-RSA-AES128-SHA 
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Tested 364 ciphers, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 384   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 384   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 384   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 384   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 384   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 384   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   


 Ciphers per protocol, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
TLS 1.3  
TLS 1.2  
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 384   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 384   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 384   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 384   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 384   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 384   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
TLS 1.1  
 xc014   ECDHE-RSA-AES256-SHA              ECDH 384   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 xc013   ECDHE-RSA-AES128-SHA              ECDH 384   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
TLS 1  
 xc014   ECDHE-RSA-AES256-SHA              ECDH 384   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 xc013   ECDHE-RSA-AES128-SHA              ECDH 384   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
SSLv3  
SSLv2  

 Client simulations 

 Android 2.3.7                TLSv1.0 DHE-RSA-AES128-SHA, 2048 bit DH
 Android 4.0.4                TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Android 4.1.1                TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Android 4.2.2                TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Android 4.3                  TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Android 5.0.0                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Android 6.0                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Android 7.0                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Chrome 27 Win 7              TLSv1.1 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Chrome 28 Win 7              TLSv1.1 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Chrome 29 Win 7              TLSv1.1 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Chrome 30 Win 7              TLSv1.2 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Chrome 31 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 32 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 33 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 34 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 35 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 36 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 37 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 39 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 40 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 42 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 43 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 45 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 47 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 48 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 49 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 49 XP SP3             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 50 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Chrome 51 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Chrome 57 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Chrome 65 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Firefox 10.0.12 ESR Win 7    TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 17.0.7 ESR Win 7     TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 21 Fedora 19         TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH
 Firefox 21 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 22 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 24.2.0 ESR Win 7     TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 24 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 26 Win 8             TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Firefox 27 Win 8             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 29 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 30 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 31.3.0 ESR Win 7     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 31 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 32 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 34 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 35 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 37 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 39 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 41 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 42 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 44 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 45 Win 7             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 46 Win 7             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 47 Win 7             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Firefox 49 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Firefox 49 XP SP3            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Firefox 53 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Firefox 59 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 IE 6 XP                      No connection
 IE 7 Vista                   TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 IE 8-10 Win 7                TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 IE 8 Win 7                   TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 IE 8 XP                      No connection
 IE 9 Win 7                   TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 IE 10 Win Phone 8.0          TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 IE 11 Win 7                  TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH
 IE 11 Win 8.1                TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH
 IE 11 Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 IE 11 Win Phone 8.1 Update   TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit DH
 IE 11 Win 10                 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 IE 11 Win 10 Preview         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Edge 12 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Edge 13 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Edge 13 Win Phone 10         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Edge 15 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Opera 12.15 Win 7            TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH
 Opera 15 Win 7               TLSv1.1 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Opera 16 Win 7               TLSv1.1 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Opera 17 Win 7               TLSv1.2 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Safari 5.1.9 OS X 10.6.8     TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Safari 5 iOS 5.1.1           TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 6.0.4 OS X 10.8.4     TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Safari 6 iOS 6.0.1           TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 7 iOS 7.1             TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 7 OS X 10.9           TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 8 iOS 8.0 Beta        TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 8 iOS 8.4             TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 8 OS X 10.10          TLSv1.2 ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)
 Safari 9 iOS 9               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Safari 9 OS X 10.11          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Safari 10 iOS 10             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Safari 10 OS X 10.12         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Apple ATS 9 iOS 9            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Tor 17.0.9 Win 7             TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Java 6u45                    No connection
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 384 bit ECDH (P-384)
 Java 8b132                   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Java 8u111                   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Java 8u31                    TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Java 9.0.4                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 OpenSSL 0.9.8y               TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH
 OpenSSL 1.0.1h               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 OpenSSL 1.0.1l               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Baidu Jan 2015               TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 BingBot Dec 2013             TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 BingPreview Dec 2013         TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH
 BingPreview Jan 2015         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 BingPreview Jun 2014         TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH
 Yahoo Slurp Jan 2015         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Googlebot Feb 2015           TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)
 Googlebot Feb 2018           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Googlebot Jun 2014           TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Googlebot Oct 2013           TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 Yahoo Slurp Jun 2014         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 Yahoo Slurp Oct 2013         TLSv1.0 ECDHE-RSA-AES256-SHA, 384 bit ECDH (P-384)
 YandexBot 3.0                No connection
 YandexBot Jan 2015           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)
 YandexBot May 2014           TLSv1.0 DHE-RSA-AES256-SHA, 2048 bit DH
 YandexBot Sep 2014           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)


Security HTTP Headers

HTTP Strict Transport Security (HSTS)   offered (OK)
Content Security Policy (CSP)           offered (OK)
X-Frame-Options                         not offered (NOT ok)
X-XSS-Protection                        offered (OK)
X-Content-Type-Options                  offered (OK)
Expect-CT                               not offered
Referrer Policy                         not offered
Feature Policy                          not offered
Web Server Version Disclosure           not offered (OK)
Web Application Disclosure              not offered (OK)
HTTP Public Key Pins (HPKP)             not offered, deprecated

Connection Performance
Keep Alive Connection                   offered (OK)
Content Encoding (Compression)          offered (Gzip) OK, for static pages or if no secrets in the page

Raw HTTP Headers

HTTP/1.1 200 OK
Accept-Ranges bytes
Connection Upgrade, Keep-Alive
Content-Encoding gzip
Content-Length 10890
Content-Security-Policy block-all-mixed-content;default-src 'self' https://robotattack.org;
Content-Type text/html; charset=UTF-8
Date Tue, 09 Oct 2018 06:55:29 GMT
ETag "7291-575be3a86cd0f-gzip"
Keep-Alive timeout=5, max=100
Last-Modified Thu, 13 Sep 2018 10:32:49 GMT
Server Apache
Strict-Transport-Security max-age=63072000;includeSubDomains;preload
Upgrade h2
Vary Accept-Encoding,User-Agent
X-Content-Type-Options nosniff
X-XSS-Protection 1; mode=block

Cleaned HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="description" content="Return of Bleichenbacher's Oracle Threat - ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server." />
<meta name="twitter:image" content="https://robotattack.org/robot-tw.png" />
<meta property="og:url" content="https://robotattack.org/" />
<meta property="og:title" content="The ROBOT Attack" />
<meta property="og:description" content="Return of Bleichenbacher's Oracle Threat - ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server." />
<meta property="og:image" content="https://robotattack.org/robot-og.png" />
<meta property="og:image:width" content="800" />
<meta property="og:image:height" content="1200" />
<meta property="og:type" content="website" />
<link rel="icon" type="image/png" href="favicon.png" />
<title>The ROBOT Attack - Return of Bleichenbacher's Oracle Threat</title>
<link href="robot.css" rel="stylesheet" type="text/css" />
<link href="fontlocal.css" rel="stylesheet" type="text/css" />
</head>
<body>
<img src="robot.svg" class="tlogo" height="300" alt="ROBOT" />
<header id="top">
<h1>The ROBOT Attack</h1>
</header>
<section><a id="check"></a>
<form action="/check/" method="get"><input type="text" name="h" /> <input type="submit" value="Test Server" /></form>
</section>
<section>
<h2>Return Of Bleichenbacher's Oracle Threat</h2>
<p><a href="https://hboeck.de/">Hanno Böck</a>, <a href="https://www.nds.rub.de/chair/people/jsomorovsky/">Juraj Somorovsky</a> (<a href="https://www.hackmanit.de/">Hackmanit GmbH</a>, Ruhr-Universität Bochum), <a href="https://secur3.us/">Craig Young</a> (<a href="https://www.tripwire.com/vert/">Tripwire VERT</a>)</p>
<p><em>Full paper <a href="https://www.usenix.org/conference/usenixsecurity18/presentation/bock">published at the Usenix Security conference</a>.</em></p>
<p><em>An earlier version was <a href="https://eprint.iacr.org/2017/1189">published at the Cryptology ePrint Archive</a></em></p>
</section>
<section>
<h2>News</h2>
<p>We won a <a href="https://pwnies.com/winners/">Pwnie award</a>!</p>
<p>We gave presentations about ROBOT at various Infosec conferences:</p>
<p><a href="https://www.youtube.com/watch?v=n_8MOf0Jx4s">ROBOT presentation at RuhrSec 2018</a><br />
<a href="https://www.youtube.com/watch?v=Cpt3Na0Kqr4">ROBOT presentation at BornHack 2018</a></p>
<p>Further presentations were given at Black Hat USA and at Usenix Security, we'll add links once recordings become available.</p>
</section>
<section>
<h2>The Vulnerability</h2>
<p>ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.</p>
<p>In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.</p>
<p>We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today's Internet.</p>
</section>
<section>
<h2>How bad is it?</h2>
<p>For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it.</p>
<p>For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.</p>
</section>
<section>
<h2>Who is affected?</h2>
<p>We have identifed vulnerable implementations from at least seven vendors including F5, Citrix, and Cisco. (<a href="#patches">Current patch status is listed below.</a>)</p>
<p>Some of the most popular webpages on the Internet were affected, including Facebook and Paypal. In total, we found vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa.</p>
<p>You can use the <a href="#check">test above to test public HTTPS servers</a>. We also published a <a href="https://github.com/robotattackorg/robot-detect">python tool to scan for vulnerable hosts</a>.</p>
<p>We will update the following table if we become aware of more affected vendors:</p>
<a id="patches"></a>
<table class="table table-condensed">
<tr>
<td>F5</td>
<td><a href="https://support.f5.com/csp/article/K21905460">BIG-IP SSL vulnerability</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-6168">CVE-2017-6168</a></td>
</tr>
<tr>
<td>Citrix</td>
<td><a href="https://support.citrix.com/article/CTX230238">TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17382">CVE-2017-17382</a></td>
</tr>
<tr>
<td>Radware</td>
<td><a href="https://portals.radware.com/getattachment/21be0b7b-fa1c-4cbc-8bd2-c19946aee270/Security-Advisory-Adaptive-chosen-ciphertext-atta/">Security Advisory: Adaptive chosen-ciphertext attack vulnerability</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17427">CVE-2017-17427</a></td>
</tr>
<tr>
<td>Cisco ACE</td>
<td><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher">Bleichenbacher Attack on TLS Affecting Cisco Products</a>, <a href="https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/services-modules/eol_C51-728979.html">End-of-Sale and End-of-Life</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17428">CVE-2017-17428</a></td>
</tr>
<tr>
<td>Cisco ASA</td>
<td><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher">Bleichenbacher Attack on TLS Affecting Cisco Products</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12373">CVE-2017-12373</a></td>
</tr>
<tr>
<td>Bouncy Castle</td>
<td>Fix in <a href="https://downloads.bouncycastle.org/betas/">1.59 beta 9</a>, <a href="https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c">Patch / Commit</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-13098">CVE-2017-13098</a></td>
</tr>
<tr>
<td>Erlang</td>
<td><a href="http://erlang.org/pipermail/erlang-questions/2017-November/094257.html">OTP 18.3.4.7</a>, <a href="http://erlang.org/pipermail/erlang-questions/2017-November/094256.html">OTP 19.3.6.4</a>, <a href="http://erlang.org/pipermail/erlang-questions/2017-November/094255.html">OTP 20.1.7</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-1000385">CVE-2017-1000385</a></td>
</tr>
<tr>
<td>WolfSSL</td>
<td><a href="https://github.com/wolfSSL/wolfssl/pull/1229">Github PR / patch</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-13099">CVE-2017-13099</a></td>
</tr>
<tr>
<td>Palo Alto Networks</td>
<td><a href="https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/PAN-OS-exposure-to-ROBOT-attack/ta-p/192397">PAN-OS exposure to ROBOT attack</a>, <a href="https://securityadvisories.paloaltonetworks.com/Home/Detail/117">Advisory (fixed in PAN-OS 7.1.15, 8.0.7)</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17841">CVE-2017-17841</a></td>
</tr>
<tr>
<td>IBM GSKit</td>
<td><a href="http://www-01.ibm.com/support/docview.wss?uid=nas8N1022451">IBM i is affected by GSKIT vulnerability</a>, <a href="https://www-01.ibm.com/support/docview.wss?uid=swg22014196">Information disclosure in IBM HTTP Server</a>, <a href="https://www.ibm.com/blogs/psirt/ibm-security-bulletin-websphere-mq-is-vulnerable-to-disclosing-side-channel-information-via-discrepencies-between-valid-and-invalid-pkcs1-padding-robot-cve-2018-1388/">WebSphere MQ is vulnerable to disclosing side channel information via discrepencies between valid and invalid PKCS#1 padding</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1388">CVE-2018-1388</a></td>
</tr>
<tr>
<td>Unisys ClearPath MCP</td>
<td><a href="https://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=46">MCP TLS susceptible to ROBOT attack</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-5762">CVE-2018-5762</a></td>
</tr>
<tr>
<td>Symantec IntelligenceCenter</td>
<td><a href="https://support.symantec.com/en_US/article.SYMSA1441.html">SA160: Return of the Bleichenbacher Oracle Threat (ROBOT)</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-18268">CVE-2017-18268</a></td>
</tr>
<tr>
<td>Symantec SSL Visibility (SSLV)</td>
<td><a href="https://support.symantec.com/en_US/article.SYMSA1441.html">SA160: Return of the Bleichenbacher Oracle Threat (ROBOT)</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15533">CVE-2017-15533</a></td>
</tr>
<tr>
<td>Cavium Nitro/Octeon</td>
<td><a href="https://www.cavium.com/security-advisory-cve-2017-17428.html">Cavium Secutiy Advisory</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17428">CVE-2017-17428</a></td>
</tr>
<tr>
<td>FortiGuard SSL Deep Inspection</td>
<td><a href="https://fortiguard.com/psirt/FG-IR-17-302">PSIRT Advisory FG-IR-17-302</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-9192">CVE-2018-9192</a></td>
</tr>
<tr>
<td>FortiGuard VIP SSL</td>
<td><a href="https://fortiguard.com/psirt/FG-IR-17-302">PSIRT Advisory FG-IR-17-302</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-9194">CVE-2018-9194</a></td>
</tr>
<tr>
<td>Haskell-TLS</td>
<td><a href="https://github.com/vincenthz/hs-tls/issues/285">Inconsistencies in answers to RSA errors (possiby Bleichenbacher/ROBOT attack)</a> (behavior inconsistent, not clear if exploitable)</td>
<td>-</td>
</tr>
<tr>
<td>MatrixSSL</td>
<td><a href="https://github.com/matrixssl/matrixssl/blob/master/doc/CHANGES.md#changes-in-383">Changes in 3.8.3</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6883">CVE-2016-6883</a></td>
</tr>
<tr>
<td>Java / JSSE</td>
<td><a href="https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html">Oracle Critical Patch Update Advisory - October 2012</a></td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2012-5081">CVE-2012-5081</a></td>
</tr>
</table>
<p>MatrixSSL and JSSE are old vulnerabilities, but we added them as we still see vulnerable hosts.</p>
<p>Indirectly vulnerable products due to the use of vulnerable components:</p>
<table>
<tr>
<td>Aruba Instant</td>
<td><a href="https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-002.txt">Aruba Product Security Advisory ARUBA-PSA-2018-002</a> (uses WolfSSL)</td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-13099">CVE-2017-13099</a></td>
</tr>
<tr>
<td>Micro Focus</td>
<td><a href="https://support.microfocus.com/kb/doc.php?id=7022561">Bouncy Castle Weak Oracle (CVE-2017-13098)</a> (uses Bouncy Castle)</td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-13098">CVE-2017-13098</a></td>
</tr>
</table>
</section>
<section>
<h2>I am affected, what shall I do?</h2>
<p>If you use one of the products that provides a fix you should of course install the update. However, we recommend something else:</p>
<h3>Disable RSA encryption!</h3>
<p>ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.</p>
<p>By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.</p>
<p>Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems.</p>
<h3>I have a Cisco ACE device.</h3>
<p>Cisco informed us that the ACE product line was discontinued several years ago and that they won't provide an update. Still, we found plenty of vulnerable hosts that use these devices.</p>
<p>These devices don't support any other cipher suites, therefore disabling RSA is not an option. To our knowledge it is not possible to use these devices for TLS connections in a secure way.</p>
<p>However, if you use these products you're in good company: As far as we can tell Cisco is using them to serve the cisco.com domain.</p>
</section>
<section>
<h2>My server is vulnerable. Do I need to revoke my certificate?</h2>
<p><b>No.</b> This attack does not recover the server's private key. It does only allow an attacker to decrypt ciphertexts or sign messages with the server's private key.</p>
</section>
<section>
<h2>Do I need to update my browser?</h2>
<p>No. This is an implementation bug in servers, there is nothing clients can do to prevent it.</p>
</section>
<section>
<h2>Can you actually prove that Facebook was vulnerable?</h2>
<p>We were able to sign a test message with Facebook's private key.</p>
<p>You don't have to take our word for it; we have cryptographic proof. Just use these commands:</p>
<p><code>echo 799e4353 5a4da709 80fada33 d0fbf51a e60d32c1 115c87ab 29b716b4 9ab06377 33f92fc9 85f280fa 569e41e2 847b09e8 d028c0c2 a42ce5be eb640c10 1d5cf486 cdffc5be 116a2d5b a36e52f4 195498a7 8427982d 50bb7d9d 938ab905 40756535 8b1637d4 6fbb60a9 f4f093fe 58dbd251 2cca70ce 842e74da 078550d8 4e6abc83 ef2d7e72 ec79d7cb 2014e7bd 8debbd1e 313188b6 3a2a6aec 55de6f56 ad49d32a 1201f180 82afe3b4 edf02ad2 a1bce2f5 7104f387 f3b8401c 5a7a8336 c80525b0 b83ec965 89c36768 5205623d 2dcdbe14 66701dff c6e768fb 8af1afdb e0a1a626 54f3fd08 175069b7 b198c471 95b63083 9c663321 dc5ca39a bfb45216 db7ef837 | xxd -r -p &gt; sig<br />
curl https://crt.sh/?d=F709E83727385F514321D9B2A64E26B1A195751BBCAB16BE2F2F34EBB084F6A9|openssl x509 -noout -pubkey &gt; pubkey.key<br />
openssl rsautl -verify -pubin -inkey pubkey.key -in sig</code></p>
<p>The first line will write the signature to a file using xxd (a tool that's part of vim). The second line will download Facebook's certificate as used at the time of the attack (we could also download it from Facebook, but then it won't work after they change it). The third line will verify it and tell you that it's a signature over the text:</p>
<p><code>We hacked Facebook with a Bleichenbacher Oracle (JS/HB).</code></p>
</section>
<section>
<h2>How is it possible that a 19-year-old vulnerability is still present?</h2>
<p>After Bleichenbacher's original attack the designers of TLS decided that the best course of action was to keep the vulnerable encryption modes and add countermeasures. Later research showed that these countermeasures were incomplete leading the TLS designers to add more complicated countermeasures.</p>
<p>The <a href="https://tools.ietf.org/html/rfc5246#section-7.4.7.1">section on Bleichenbacher countermeasures in the latest TLS 1.2 standard (7.4.7.1)</a> is incredibly complex. It is not surprising that these workarounds aren't implemented correctly.</p>
</section>
<section>
<h2>If the test says I'm not vulnerable then everything is fine, right?</h2>
<p>Not necessarily.</p>
<h3>Further protocol flows and cipher suites</h3>
<p>We discovered that with slight modifications, e.g. by changing the message flow or by using different cipher modes, we could find more vulnerable hosts. It is likely that further variations may reveal new oracles.</p>
<h3>Cross-protocol and cross-server attacks</h3>
<p>Even if your server is not directly vulnerable, the attack can be applied in two cases. First, your secure server can share the same public with a vulnerable server. As shown in <a href="https://drownattack.com/">DROWN</a>, this is quite common that web servers share the same key. The attacker can then use the vulnerable server as an oracle to decrypt the confidential communication with your secure server.</p>
<p>Second, another vulnerable server can use a certificate with a domain name that matches your secure server. This would allow an attacker to perform impersonation attacks. We have actually observed such an example in the wild. The main WhatsApp web page www.whatsapp.com was not vulnerable, but we detected several vulnerable servers with a wildcart certificate issued to *.whatsapp.com.</p>
<h3>Timing attacks</h3>
<p>It is also important to note that our test does not consider timing variants of Bleichenbacher's vulnerability. However these tend to be very hard to exploit in practice.</p>
<p>You can find some info about potential timing issues in <a href="https://mta.openssl.org/pipermail/openssl-dev/2017-December/009887.html">OpenSSL here</a> and in <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=577498">NSS here</a>.</p>
</section>
<section>
<h2>What's this PKCS #1 v1.5 you're talking about?</h2>
<p>The RSA algorithm cannot be used in its "pure" form. In order to be secure, messages need some kind of padding. PKCS #1 v1.5 is a widely used padding mode for RSA for both encryption and signatures.</p>
<p>There are more secure padding modes for RSA (PSS/OAEP), but they never gained widespread adoption. They're standardized in <a href="https://tools.ietf.org/html/rfc8017">PKCS #1 v2.2</a>.</p>
</section>
<section>
<h2>What about PKCS #1 v1.5 signatures?</h2>
<p>They're also problematic, but for <a href="https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html">different</a> <a href="http://www.intelsecurity.com/advanced-threat-research/berserk.html">reasons</a> that were not part of our research.</p>
</section>
<section>
<h2>Is this only a problem for TLS?</h2>
<p>No. Bleichenbacher-style vulnerabilities have been found in <a href="https://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15/">XML Encryption</a>, <a href="https://eprint.iacr.org/2012/417">PKCS#11 interfaces</a>, <a href="https://www.nds.rub.de/research/publications/-security-javascript-object-signing-and-encryption/">Javascript Object Signing and Encryption (JOSE)</a>, or <a href="https://www.openssl.org/news/secadv/20120312.txt">Cryptographic Message Syntax / S/MIME</a>.</p>
<p>Every protocol that uses RSA PKCS #1 v1.5 encryption is at risk of exposing similar vulnerabilities.</p>
</section>
<section>
<h2>How is ROBOT different from Bleichenbacher's original attack?</h2>
<p>Bleichenbacher's original work from 1998 used an oracle based on different TLS alerts. We changed it to allow various different signals to distinguish between error types like timeouts, connection resets, duplicate TLS alerts.</p>
<p>We also discovered that by using a shortened message flow where we send the <b><code>ClientKeyExchange</code></b> message without a <b><code>ChangeCipherSpec</code></b> and <b><code>Finished</code></b> message allows us to find more vulnerable hosts.</p>
</section>
<section>
<h2>So... ROBOT doesn't add a whole lot, right?</h2>
<p>That's correct. The surprising fact is that our research was very straightforward. We used minor variations of the original attack and were successful. This issue was hiding in plain sight.</p>
<p>This means neither the vendors of the affected products nor security researchers have investigated this before, although it's a very classic and well-known attack.</p>
</section>
<section>
<h2>How is this related to previous research?</h2>
<p>Originally this type of attack was <a href="http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf">discovered by Daniel Bleichenbacher in 1998</a>.</p>
<p>Klima, Pokorny and Rosa <a href="https://eprint.iacr.org/2003/052">improved the attack and discovered the bad-version oracle in 2003</a>.</p>
<p>In 2012 Romain Bardou and others <a href="https://eprint.iacr.org/2012/417">developed a much more efficient Bleichenbacher attack algorithm</a> that reduces the number of needed connections.</p>
<p>In 2014 <a href="https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer">Christopher Meyer and others discovered Bleichenbacher vulnerabilities in JSSE and other products</a> and describe the first practical timing attacks.</p>
<p>Tibor Jager and colleagues discovered that <a href="https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf">it is possible to use a cross-protocol Bleichenbacher attack against TLS 1.3 and QUIC</a>.</p>
<p>The <a href="https://drownattack.com/">DROWN attack</a> is a protocol level Bleichenbacher vulnerability in SSL version 2. The DROWN research also contains further insights on cross-protocol scenarios.</p>
</section>
<section>
<h2>Are there any tools that I can use to scan for this vulnerability?</h2>
<p>We have reached out to the developers of various TLS testing tools before the publication of our research. The following tools have checks that will cover ROBOT:</p>
<ul>
<li><a href="https://testssl.sh/">testssl.sh</a> has a test closely modelled after our own one. A <a href="https://testssl.sh/bleichenbacher/">snapshot is available</a>, it's not yet part of a release. It also supports SNI and STARTTLS, which our test does not.</li>
<li><a href="https://github.com/RUB-NDS/TLS-Attacker">TLS-Attacker</a> already contained Bleichenbacher checks before our research, <a href="https://web-in-security.blogspot.com/2017/12/tls-attacker-v22-and-robot-attack.html">version 2.2 was extended with additional checks to cover all ROBOT variations</a>.</li>
<li><a href="https://www.ssllabs.com/">SSLLabs</a> has added a check for ROBOT.</li>
<li><a href="https://www.tripwire.com/products/tripwire-ip360/">Tripwire IP360</a> added detection for vulnerable F5 devices in ASPL-753 which was released in coordination with F5's public advisory. Generic detection of Bleichenbacher oracles will be released in coordination with this publication.</li>
<li><a href="https://github.com/tomato42/tlsfuzzer">tlsfuzzer</a> has an extensive test script for Bleichenbacher vulns, though it will also complain about misbehaving servers that are not necessarily vulnerable.</li>
<li><a href="https://github.com/nabla-c0d3/sslyze">SSLyze</a> added <a href="https://nabla-c0d3.github.io/blog/2017/12/17/sslyze-robot-scan/">support for ROBOT detection</a> after our disclosure.</li>
</ul>
<p>We encourage developers of other security and TLS testing tools to add checks for ROBOT. You can use <a href="https://github.com/robotattackorg/robot-detect">our code</a>, it's under a CC0 (public domain) license.</p>
</section>
<section>
<h2>Can this attack be used against Bitcoin?</h2>
<p>Bitcoin does not use RSA, instead it uses elliptic curve cryptography based on the curve secp256k1. Our attack cannot be directly applied to that. However if you transform a quantum key exchange to a supersingular Isogeny you can attack post-quantum RSA and thus apply our attack indirectly to secp256k1.</p>
<p>We believe the only way Bitcoin can defend against this is to immediately switch to Quantum Blockchains.</p>
</section>
<section>
<h2>Will you publish the proof of concept?</h2>
<p>We have published a proof of concept as part of our <a href="https://github.com/robotattackorg/robot-detect">robot-detect</a> script.</p>
<p>We delayed publishing the poc after our initial announcement to give people time to patch and fix their servers and to play the CTF.</p>
<h3>Play our Capture The Flag contests!</h3>
<p><b>Update:</b> The CTF is over!</p>
<p>We have a <a href="https://ctf.robotattack.org">ROBOT CTF</a> contest where you can test your crypotgraphic attack skills.</p>
<p>This will require the implementation of a practical Bleichenbacher attack. While we can't make any rules about what you publish we ask you to delay the publication of any tools you create during the contest until it is over.</p>
<p>We will probably run the contest for two months, but we may revisit the timeline.</p>
</section>
<section>
<h2>Is this vuln really serious enough to deserve a name, a logo and a web page?</h2>
<p>We had considerable disagreement in our team about this. Juraj agreed only under protest. All complaints about this issue need to go to Hanno.</p>
<h2><a id="media"></a>Media, Blogs and more</h2>
<h4>Media reports</h4>
<p><a href="https://www.theregister.co.uk/2017/11/20/f5_crypto_weakness/">The Register: F5 DROWNing, not waving, in crypto fail</a><br />
<a href="https://www.golem.de/news/robot-angriff-19-jahre-alter-angriff-auf-tls-funktioniert-immer-noch-1712-131607.html">Golem.de: ROBOT-Angriff - 19 Jahre alter Angriff auf TLS funktioniert immer noch</a><br />
<a href="https://www.forbes.com/sites/thomasbrewster/2017/12/12/robot-hack-exploits-encryption-weaknesses-in-major-websites-facebook-patches/">Forbes: 'ROBOT Attack' Exposed Facebook With 19-Year-Old Bug -- Massive Websites Still Vulnerable</a><br />
<a href="https://arstechnica.com/information-technology/2017/12/a-worrying-number-of-sites-remain-open-to-major-crypto-flaw-from-1998/">Ars Technica: 1998 attack that messes with sites’ secret crypto keys is back in a big way</a><br />
<a href="https://thehackernews.com/2017/12/bleichenbacher-robot-rsa.html">The Hacker News: ROBOT Attack: 19-Year-Old Bleichenbacher Attack On Encrypted Web Reintroduced</a><br />
<a href="https://www.theregister.co.uk/2017/12/13/robot_tls_rsa_flaw/">The Register: I, Robot? Aiiiee, ROBOT! RSA TLS crypto attack pwns Facebook, PayPal, 27 of 100 top domains</a><br />
<a href="https://securityaffairs.co/wordpress/66682/hacking/robot-attack.html">Security Affairs: ROBOT Attack: RSA TLS crypto attack worked against Facebook, PayPal, and tens of 100 top domains</a><br />
<a href="https://www.bleepingcomputer.com/news/security/variation-of-19-year-old-cryptographic-attack-affects-facebook-paypal-others/">Bleeping Computer: Variation of 19-Year-Old Cryptographic Attack Affects Facebook, PayPal, Others</a><br />
<a href="https://threatpost.com/19-year-old-tls-vulnerability-weakens-modern-website-crypto/129158/">ThreatPost: 19-Year-Old TLS Vulnerability Weakens Modern Website Crypto</a><br />
<a href="https://www.scmagazine.com/tls-exploit-robot-capitalizes-on-19-year-old-vulnerability-vendors-issue-patch/article/718417/">SC Magazine: TLS exploit 'ROBOT' capitalizes on 19-year-old vulnerability; vendors issue patch</a><br />
<a href="https://www.heise.de/security/meldung/ROBOT-Attacke-TLS-Angriff-von-1998-funktioniert-immer-noch-3916994.html">heise: ROBOT-Attacke: TLS-Angriff von 1998 funktioniert immer noch</a><br />
<a href="https://www.digi.no/artikler/gammel-kryptosarbarhet-er-tilbake-facebook-blant-de-berorte/414352">digi.no: Gammel kryptosårbarhet er tilbake. Facebook blant de berørte</a></p>
<h4>Blog posts</h4>
<p><a href="https://www.tripwire.com/state-of-security/vert/return-bleichenbachers-oracle-threat-robot/?utm_content=bufferb1d9b&amp;utm_medium=social&amp;utm_source=twitter.com&amp;utm_campaign=buffer">TripWire / The State of Security: VERT Threat Alert: Return of Bleichenbacher’s Oracle Threat (ROBOT)</a><br />
<a href="https://cryptosense.com/bleichenbacher-is-back-again/">Cryptosense: Bleichenbacher is Back – Again</a><br />
<a href="https://www.trustzone.com/robot-attack-rsa-encryption-vulnerable-choose-ecc-tlsssl-certificates-ensure-security">Trustzone: The ROBOT attack: RSA Encryptoin is vulnerable</a><br />
<a href="https://research.kudelskisecurity.com/2017/12/14/algorithms-cant-be-patched/">Kudelski Security / JP Aumasson: Algorithms can't be patched</a><br />
<a href="https://web-in-security.blogspot.com/2017/12/tls-attacker-v22-and-robot-attack.html">Juraj Somorovsky: TLS-Attacker v2.2 and the ROBOT attack</a><br />
<a href="https://access.redhat.com/blogs/766093/posts/3275721">Hubert Kario / Red Hat: Detecting ROBOT and other vulnerabilities using Red Hat testing tools</a></p>
<h4>Other</h4>
<p><a href="https://www.kb.cert.org/vuls/id/144389">CERT/CC: Vulnerability Note VU#144389</a><br />
<a href="https://www.ietf.org/mail-archive/web/tls/current/msg25135.html">TLS mailing list, Colm MacCárthaigh (Amazon s2n): A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS</a></p>
</section>
<div class="footer-logo"></div>
<footer>
<p class="text-muted">The website design was "stolen" from the DROWN website and slightly adapted; it was created by <a href="http://sarahmadden.com/">Sarah Madden</a>. The logo was designed by Ange Albertini; see his project <a href="https://corkami.github.io/">Corkami</a> for more artwork from him. Logo, design and content of this website are under a <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a> license. | <a href="/imprint">Imprint</a></p>
</footer>
</body>
</html>

Warnings Errors and Accessibility

line 341 column 1 - Info: missing optional end tag </li>
line 413 column 125 - Warning: unescaped & or unknown entity "&utm_medium"
line 413 column 143 - Warning: unescaped & or unknown entity "&utm_source"
line 413 column 166 - Warning: unescaped & or unknown entity "&utm_campaign"

Accessibility Checks:

line 17 column 1 - Access: [6.1.1.1]: style sheets require testing (link).
line 18 column 1 - Access: [6.1.1.1]: style sheets require testing (link).
line 20 column 1 - Access: [2.1.1.1]: ensure information not conveyed through color alone (image).
line 21 column 7 - Access: [1.1.2.1]: <img> missing 'longdesc' and d-link.
line 36 column 1 - Access: [13.1.1.2]: link text missing.
line 38 column 1 - Access: [2.1.1.5]: ensure information not conveyed through color alone (input).
line 39 column 1 - Access: [2.1.1.5]: ensure information not conveyed through color alone (input).
line 39 column 1 - Access: [12.4.1.1]: associate labels explicitly with form controls.
line 48 column 1 - Access: [3.5.2.2]: potential header (italics).
line 49 column 1 - Access: [3.5.2.2]: potential header (italics).
line 103 column 1 - Access: [13.1.1.2]: link text missing.
line 103 column 21 - Access: [5.5.2.1]: <table> missing <caption>.
line 103 column 21 - Access: [5.5.1.1]: <table> missing summary.
line 103 column 21 - Access: [5.1.2.1]: data <table> missing row/column headers (all).
line 105 column 24 - Access: [13.1.1.3]: link text too long.
line 106 column 25 - Access: [13.1.1.3]: link text too long.
line 115 column 258 - Access: [13.1.1.3]: link text too long.
line 122 column 29 - Access: [13.1.1.3]: link text too long.
line 132 column 1 - Access: [5.5.2.1]: <table> missing <caption>.
line 132 column 1 - Access: [5.5.1.1]: <table> missing summary.
line 222 column 1 - Access: [13.1.1.3]: link text too long.
line 242 column 1 - Access: [13.1.1.1]: link text not meaningful.
line 321 column 28 - Access: [13.1.1.3]: link text too long.
line 322 column 37 - Access: [13.1.1.3]: link text too long.
line 324 column 12 - Access: [13.1.1.3]: link text too long.
line 326 column 47 - Access: [13.1.1.3]: link text too long.
line 339 column 1 - Access: [13.1.1.3]: link text too long.
line 394 column 1 - Access: [3.5.1.1]: headers improperly nested.
line 394 column 5 - Access: [13.1.1.2]: link text missing.
line 398 column 1 - Access: [13.1.1.3]: link text too long.
line 399 column 1 - Access: [13.1.1.3]: link text too long.
line 400 column 1 - Access: [13.1.1.3]: link text too long.
line 401 column 1 - Access: [13.1.1.3]: link text too long.
line 402 column 1 - Access: [13.1.1.3]: link text too long.
line 403 column 1 - Access: [13.1.1.3]: link text too long.
line 404 column 1 - Access: [13.1.1.3]: link text too long.
line 405 column 1 - Access: [13.1.1.3]: link text too long.
line 406 column 1 - Access: [13.1.1.3]: link text too long.
line 407 column 1 - Access: [13.1.1.3]: link text too long.
line 408 column 1 - Access: [13.1.1.3]: link text too long.
line 413 column 1 - Access: [13.1.1.3]: link text too long.
line 418 column 1 - Access: [13.1.1.3]: link text too long.
line 424 column 1 - Access: [13.1.1.3]: link text too long.
line 437 column 1 - Access: [13.1.1.1]: link text not meaningful.
Info: Document content looks like HTML5
<HTMLYSE> found 3 warnings and 0 errors!