SSL-TLS security flaws : HEARTBLEED and 3SHAKE attacks

Abstract

SSL-TLS Protocol was designed and developed to provide a secure channel for internet communications. It is a means to protect web applications against malicious third parties that may try to eavesdrop, tamper, or even interrupt the network connections between client and server. However, being a security protocol with encryption does not guarantee it is infallible. Several SSL-TLS vulnerabilities have been found and exploited since its introduction in 1994 [1]. Some examples of well-known attacks were BEAST, CRIME, POODLE, and SSL Stripping [2]. In this report, we will study two types of vulnerabilities that may affect SSL-TLS (implementation-based and protocol-based). The focus will be placed on TLS v1.2, as this protocol is the most widely supported on the Internet at the time of writing this report [3]. We will do a detailed study on HEARTBLEED as an implementation-based vulnerability, and 3SHAKE as a protocol-based vulnerability. For each of these vulnerabilities, we will study the root causes, how it was exploited into an attack, its impacts, as well as the countermeasures. Furthermore, we will also discuss and compare the two vulnerabilities.