The ROBOT Attack

ROBOT is a vulnerability that affects RSA / TLS which is the encryption at the heart of https enabled websites.

How does it Affect My1Login?

Before we go onto discuss the vulnerability, how it works and what it does, it's important to say that it does not affect My1Login services or our customers. My1Login’s sites and applications have been reviewed and are not affected by this vulnerability.

Extensive information on the Robot vulnerability can be found on https://robotattack.org/. They explain: 

The Vulnerability

ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.

In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.

We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today's Internet.

How bad is it?

For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it.

For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.

My1Login and RSA Ciphers?

One of the recommendations from the team that discovered the ROBOT vulnerability was for web sites to disable RSA ciphers and only support Elliptic Curve ciphers.

Many of My1Login’s customers are using older browsers, especially Internet Explorer 10 or earlier, which will not work with the newer ciphers. 

What do I need to do?

With regards to your My1Login account, nothing. It is not affected. Further information can be obtained from https://robotattack.org/.