Vulnerable to SWEET32?

jpjp · February 10, 2017, 8:07pm

Is Syncthing really vulnerable or is this a false positive?

# nmap --script ssl-enum-ciphers -p 8384 localhost
...
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
...

calmh · February 10, 2017, 10:31pm

We certainly never ever agree to speak 3DES so from that error message I doubt it’s correct. But I don’t know much about that vulnerability and I’m at dinner so let me check it out tomorrow.

calmh · February 10, 2017, 10:33pm

Actually, hold that. We might allow 3DES for the GUI, the place where we strictly lock down the crypto is for device to device connections.

calmh · February 11, 2017, 10:41am

Looking closer at it, it’s entirely possible that the GUI connection could be susceptible to this. We use the Go default TLS settings, which does include 3DES as one possible cipher. Reading about SWEET32:

We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic. In our proof-of-concept demo, this attack currently takes less than two days, using malicious Javascript to generate traffic. Keeping a web connection alive for two days may not seem very practical, but it worked easily in the lab.

I don’t think this is a practical attack against the GUI. It would need to be 3DES to begin with (which I would be surprised to see negotiated) and transfer 785 GB of traffic (which I would be surprised to see the GUI do, even if we do poll things now and then).

All in all, I don’t think it’s something to worry about. Although I would accept a PR to narrow down the cipher selection a little for the GUI port as well, while attempting to keep some sort of reasonable browser compatibility.

(None of this affects the sync connections, where it would be bad if we had this vulnerability.)

canton7 · February 11, 2017, 11:34am

We assume that the attacker can control some JavaScript on a web page loaded by the user’s browser, either by actively tampering with an HTTP response on the wire, or by hosting a malicious website that the user is fooled into visiting.

So, requires MITM or phishing. With the Gui, if you can do one of those things you’ve already won: no need to use this attack.

jpjp · March 13, 2017, 11:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.