TLS - what can go wrong?

Key generation

• Debian weak keys
• ROCA
• Shared prime factors (mining ps and qs)
• Shared non-private keys (e.g., using default keys shipped with applications)

Also see: badkeys

RSA encryption handshake

• Bleichenbacher,Klima,ROBOT,Marvin etc. attacks
• SSLv2 Bleichenbacher attack (DROWN)

RSA signature handshake

• RSA-CRT bug / modexp miscalculation (signature generation)
• Bleichenbacher signature forgery,BERserk (signature verification)

ECDSA / DSA handshake

• Duplicate r (not found in the wild yet)

Static DH/ECDH handshake

• KCI

Diffie Hellman

• Backdoor parameters, some detectable (e.g. non-prime modulus), others not
• Logjam (paper describes multiple attacks), too small parameters
• Ephemeral key reuse with small subgroup parameters
• DH/ECDH parameter confusion

ECDHE

• Curveswap
• Invalid Curve attack / ephemeral key reuse

Finished message

• Lack of check, also partial lack of check, Poodle has friends

CBC/HMAC

• BEAST
• Vaudenay's Padding Oracle (impractical due to encrypted error messages)
• Canvel's timing oracle
• Lucky Thirteen,Lucky Microseconds
• LuckyMinus20 (CVE-2016-2107)
• POODLE (SSLv3)
• Lack of padding check in TLS 1.0 and later (POODLE-TLS)
• Partial padding checks, More POODLEs in the forest
• MACE / Lack of HMAC check, also partial checks Poodle has friends
• Zombie POODLE / GOLDENDOODLE

GCM

• Duplicate or random nonces (Forbidden attack, Nonce-disrespecting adversaries)
• Lack of ghash check (not found in the wild yet)

Small block size

• Sweet32

RC4

• RC4 Biases, cipher design problem, unfixable

Compression

• CRIME (TLS compression)
• BREACH (HTTP compression)
• TIME,HEIST (TCP window trick, Javascript, timing + HTTP compression)

State machine errors

• SMACK, SkipTLS
• FREAK
• CCS Injection

HTTP/HTTPS related

• SSL Stripping
• Insecure redirects (e.g. https:// -> http://www. -> https://www.)

Parsing and validation logic issues

• Heartbleed
• STARTTLS command injection,other STARTTLS attacks
• Version intolerance, large handshake intolerance, middlebox breakage, ...
• goto fail

Certificate validation

• Missing certificate validation (see, e.g., insecure Python defaults)
• Frankencerts(Code Frankencerts)

Sidechannels

• Timing side channel allowing remote key recovery
• Timing side channels against symmetric ciphers (AES)
• Timing side channel allowing remote key recovery
• CPU cache side channels allowing private key recovery across processes/VMs (PortSmash (ECDSA and DSA keys),CVE-2018-0737 (RSA keys))

Underlying protocol interactions

• Cross-protocol attacks like ALPACA
• Unencrypted data channel in FTP (e.g., [https://github.com/python/cpython/issues/143497]( insecure default in Python's ftplib.FTP_TLS))

Others

• Insecure Renegotiation
• Triple Handshake
• Virtual Host Confusion
• Cookie cutter
• SLOTH
• Carry propagation bugs / math bugs (can cause RSA-CRT bug, Squeezing a key through a carry bit)