Who likes the ROBOT?
We don't…
A new attack on the standard of encrypting web traffic just got a new famous vulnerability. In fact the vulnerability is nothing really new. Just something from 1998 that reappeared. The original vulnerability was found by cryptographer Daniel Bleichenbacher. Therefore the new version is called "Return of Bleichenbacher's Padding Oracle" — ROBOT.
The problem of the vulnerability is that the RSA algorithm stops at different times during its execution if certain error conditions are met. An attacker can use this to craft a specific request. With multiple of such requests he can decrypt traffic sent to and from the website.
To keep you safe, we have already updated our scanners. Effective immediately, you will see it in the dashboard if you are vulnerable. If you have not yet tested whether you are vulnerable for ROBOT (and dozens of other vulnerabilities), help yourself and get a free account on https://www.crashtest.cloud
Sources:
- Information about ROBOT: https://robotattack.org/
- Picture by Ange Albertini (CC0 1.0)
