SLOTH Attacks Weaken HTTPS Privacy

by Tracy Knauer •

Security vulnerabilities based on the MD5 hashing function make it possible to decrypt network data or impersonate servers in order to steal private information, according to researchers from the INRIA institute in France.

MD5 is a cryptographic hash function. That means it translates data into a “hash,” or jumbled piece of information. In theory, the jumbled data cannot be reverse-translated to reveal the original information.

Since the mid-1990s, however, flaws have been known in the MD5 algorithm that make it possible to decrypt MD5 hashes. For that reason, MD5 long ago ceased to be used to used for tasks that require high security and privacy, such as signing SSL/TLS certificates (which are used to provide HTTPS encryption for websites).

But it turns out that vulnerable MD5 hashes remain in use at other layers of the TLS encryption scheme, among other places. As a result, it facilitates a series of attacks called SLOTH by the security researchers who described them in a recent paper.

The attacks enable malicious servers to pose as legitimate websites in order to steal users’ information. They could also make it possible for network eavesdroppers to decrypt data that should be private.

Other widely used encryption protocols, including the ones used to secure SSH, IPsec and XMPP messaging, may also be vulnerable to attacks resulting from poor MD5 hashing implementation.

The good news is that the SLOTH attacks do not affect every website or app that uses MD5. They require certain conditions to work. They also require some time to execute, since breaking MD5 hashes can take a few hours, not seconds.

That means these vulnerabilities are not likely to be used to collect massive amounts of information from Internet users in a systematic way. But they could be useful for targeting particular individuals, like journalists, whose online activity or private information authorities may want to monitor.

For now, the SLOTH attacks mainly mean that HTTPS encryption cannot be trusted (not that you should have assumed it was perfect before, either). If you’re worried about privacy, protecting your traffic with a VPN will add another helpful layer of data privacy.

Leave a Reply

Your email address will not be published.