
Raccoon Attack - wglb
https://raccoon-attack.com/
======
imadethis
First off, thanks to the authors for making it clear that this is a difficult
attack vector to exploit. I'm tired of sites like these that make it seem like
it's the end of the world.

As this is a timing based attack, I wonder what the feasibility would be in a
real-world network environment. From a brief skim of the paper, it looks like
they were getting a false positive rate of 10% between two VMs on a Gigabit
connection. I wonder how quickly that would increase if the servers were in
different buildings / cities / continents.

~~~
Matthias247
> between two VMs on a Gigabit connection

and likely nothing else running.

Real world webservers running tons of concurrent requests have a __very
__variable processing times (if you get below 5ms you are very good!) purely
due to queued up work and context switches.

~~~
DarthGhandi
The amount of extra time needed to sift through network jitter isn't really
that huge. It's far less than what people imagine even with basic statistical
techniques.

~~~
Matthias247
Maybe. My point was that even even network jitter won’t be important, since
software processing latencies are much higher. If a server handles another
request before your handshake that’s thousands more instructions which
obfuscate the result. If it does another TLS handshake before it’s thread
might be blocked for several ms before it gets to processing the next thing.
That’s all orders of magnitudes higher than any „this tool longer because some
bits are different“ measurements

------
ve55
>Why is the attack called "Raccoon"?

>Raccoon is not an acronym. Raccoons are just cute animals, and it is well
past time that an attack will be named after them :)

Better naming and mascot than the last five TLS security bugs if you ask me

~~~
ljhsiung
I thought heartbleed was a decent name. A callback to the heartbeat protocol

I think DROWN was kiiinda pushing it.

~~~
tptacek
It's memorable, and DROWN is an _amazing_ attack.

~~~
ljhsiung
I agree that it was amazing and super cool! Rather it's just a comment on the
relevance of the name to the actual attack, contorted to the purpose of a cool
acronym.

Just to stoke some fires, I think poodle is also in that bag.

~~~
tptacek
The comment isn't wrong about the name, I'm just compelled to say how awesome
DROWN is every time it's mentioned anywhere. It's really spectacular work.

------
fuzzer37
I think more projects should have cute mascots like this. Really like the
"Raccoon is not an acronym. Raccoons are just cute animals, and it is well
past time that an attack will be named after them :)" line.

------
deanstag
This writeup covered each and every question that popped up in my head in
pretty much the same order too. Clear and concise.

------
evan_
I assumed this was about the time Kevin Rose throw a raccoon down a flight of
stairs

~~~
DJBunnies
Still a better offering than digg.

------
ccktlmazeltov
already posted 2 days ago:
[https://news.ycombinator.com/item?id=24421247](https://news.ycombinator.com/item?id=24421247)

Is the top comment and most of the responses going to be about the "raccoon"
in the name of the attack, or the first paragraph of the page (it's not really
exploitable), and not on the actual content again? Only time will tell.

------
josteink
> I am an admin, should I drop everything and fix this?

> Probably not. Raccoon is a complex timing attack and it is very hard to
> exploit.

Nice of them to put this up as one of the first non-technical bulletins.

No need to feed hysteria.

------
arminiusreturns
"BearSSL and BoringSSL are not affected because they do not support DH(E)
cipher suites. GnuTLS, Wolfssl, Botan, Mbed TLS and s2n do not support static
DH cipher suites. Their DHE cipher suites never reuse ephemeral keys."

Good for them.

------
blantonl
_The vulnerability is really hard to exploit and relies on very precise timing
measurements and on a specific server configuration to be exploitable._

It's interesting that they emphasize this is a really hard problem to solve,
and for 99% of use cases this really isn't an issue to worry about.

But if you work in national security or are sensitive to security threats from
nation states, this would certainly be an absolutely critical item to address
or understand.

National Security and nation states would absolutely use this as a target
where billions of dollars or thousands of lives could be at stake.

~~~
tptacek
I don't know why you assume this. It's true that state-level adversaries can
undertake more expensive attacks, but it doesn't follow that all expensive
attacks are useful. Here, the effort required to exploit this would probably
buy so many Firefox and Juniper remotes, and offer so little payoff, that it's
hard to imagine it ever being exploited.

Sometimes vulnerabilities are just valuable to science. The work that follows
up from this could be valuable to CNE and SIGINT!

------
pvg
Dupe of
[https://news.ycombinator.com/item?id=24421247](https://news.ycombinator.com/item?id=24421247)

~~~
ccktlmazeltov
maybe this one will have comments that will be on the actual content this
time. Well, nevermind.

------
bashinator
I was honestly thinking this was going to be about a pre-release game on Steam
that turns out to be called "Wanted: Raccoon"[1]

[1]
[https://steamcommunity.com/app/1320100](https://steamcommunity.com/app/1320100)

------
lxe
This attack seems pretty surgical and might not be very practical, but pretty
interesting nonetheless.

------
homakov
Timing attacks, never saw a real world exploit working for them. Even in my
local tests without web server latency the results are indistinguishable.

Did anyone ever show a working timing attack for a web service? Even assuming
no DoS/request limiting is in place.

------
zkms
> Leading bytes of Z that contain all zero bits are stripped before it is used
> as the pre_master_secret.

what would possess someone to introduce a padding oracle/side-channel into
something that didnt even need it??

~~~
tialaramex
They simply misunderstood a document

Almost everybody assigned the task of _implementing_ this stuff (SSLv3, last
century) didn't understand it, even for the old finite field DH where it's
just about within the grasp of someone with high school mathematics if you
insisted on having it explained before you implement. So it's just magic, and
once one person does it wrong everybody else must do it wrong or lose
interoperability.

And the "wrong" DH implementation works fine, except that it introduces a
slightly larger side channel.

You mention a padding oracle, this isn't a padding oracle. It's an _oracle_
because it provides the attacker with answers to questions they can't answer
themselves, but there isn't any padding involved here.

And it's a pretty weak oracle, the insight you gain from asking the oracle
questions is about a single pre-master secret, not the underlying DH private
key or any long term authentication key.

------
kerng
There is a trend with TLS attacks and fancy websites and names. :)

Is there a reason for that? Not really following the scene, the same group of
people finding these issues over the years and hence marketing is similar?

------
bzngcqt
If this is a timing sidechannel, why is it considered s protocol vulnerability
and not an implementation vulnerability? Could it be mitigated by using a
time-constant implementation of the KDF?

~~~
baby
Because the specification does not mandate a constant time operation.

~~~
dependenttypes
You are not mandated a constant-time aes implementation either.

~~~
baby
nobody cares about an AES constant time implementation, but any specification
about MACs and signing algorithms will specifically mention that you need to
have constant-time operations

------
pelagic_sky
None of you have dealt with raccoons before. They are vicious. They are
persistent. They will mess you up. You do not want to square up with a raccoon
without the intent to walk away without causing massive harm. Because when a
raccoon comes for you. It comes for keeps.

------
zzzeek
I wanted to see raccoons attacking something dammit. Stop naming your pet
vulnerabilities cute names with logos for chrissakes.

