Maximilian Radoy, Sven Hebrok, and Juraj Somorovsky presented the results of their current research on TLS security at the 29th European Symposium on Research in Computer Security (ESORICS). TLS (Transport Layer Security) is a critical protocol for securing internet communication, protecting billions of users worldwide from data loss and attacks.
In their publication In Search of Partitioning Oracle Attacks Against TLS Session Tickets, the authors analyzed whether the “Partitioning Oracle Attack,” discovered in 2021, could also be applied to the TLS communication protocol. Prior to this study, it was assumed that TLS was protected against this attack. However, this assumption was disproven, as the authors demonstrated that the attack is applicable to TLS Session Tickets.
Crash Course: TLS Session Tickets
TLS Session Tickets allow for the reuse of cryptographic parameters during repeated connections to a server, enabling faster connection setup. While the standard provides recommendations on how the tickets should be constructed, it does not impose strict requirements. The research shows that several TLS libraries do not adequately secure their session tickets against Partitioning Oracle Attacks.
Evaluation & Results
In their practical evaluation, the researchers found that most existing web servers behave securely. This is due to the small market share of vulnerable servers. Additionally, the computation required for the necessary tickets is high, and the key material must be poorly chosen to detect the attack—though this is not necessarily required to exploit the vulnerability.
Nevertheless, this work highlights the importance of incorporating security-critical measures into standards as mandatory requirements, rather than leaving them as optional recommendations. When such measures are merely suggested, implementations may bypass or overlook critical security steps, leading to serious vulnerabilities. The freedom to implement tickets in different ways has allowed these security gaps to emerge. Therefore, standards should be revised so that these security measures are mandatory for all implementations.