nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

Pull it out ASAP, it is SWISS CHEESE

By Darren Pauli, 14 Oct 2014

Poodle As warned by The Register, researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections.

Miscreants can exploit a weakness in the protocol's design to grab victims' secret session cookies. These can be used to log into online accounts, such as webmail, social networks, and so on.

The attack is, we're told, easy to perform, and can be done on-the-fly using JavaScript – provided you can intercept the victim's packets, perhaps by setting up a malicious Wi-Fi point in a cafe or bar.

SSL is supposed to encrypt your communications, such as your connection to your bank's website, so eavesdroppers can't steal or tamper with your sensitive information while it's in transit.

Google revealed details of the design flaw on Tuesday, and dubbed it POODLE – short for Padding Oracle On Downgraded Legacy Encryption. It is a blunder within the blueprints of SSL 3.0 rather than a software bug, so it affects any product following the protocol – from Google Chrome and Mozilla Firefox to Microsoft Internet Explorer.

Google security bod Bodo Möller explains that snoopers can trigger network faults to push web browsers into using SSL 3.0, an 18-year-old protocol that should have been binned long ago. Ideally, the browser should be using the superior encryption protocol TLS, which does not suffer from the POODLE shortcoming.

"Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue," Möller said.

One simple solution is to stop using SSL 3.0 and instead use TLS only. This applies to web browsers and websites.

Google's response to the flaw is to scrub SSL 3.0 support from its flagship Chrome browser. Websites and other browsers are also expected to end support for SSL v3 as it's now considered insecure by design, and instead enforce the use of TLS for HTTPS connections.

Google also recommends browsers and web servers use TLS_FALLBACK_SCSV, the Transport Layer Security Signalling Cipher Suite Value that blocks protocol downgrades.

Doing so will be more effective than simply killing off SSL 3.0 support: that's because using this magic value should prevent all future downgrade attacks. Chrome and Google's web servers already support TLS_FALLBACK_SCSV, we're told.

Websites that end support for SSL v3 will become incompatible with older browsers and OSes – particularly Internet Explorer 6 and Windows XP. The POODLE vulnerability could well be the final nail in the coffin for machines stuck on IE6 and XP once major websites stop supporting the legacy insecure protocol.

The details of the flaw are explained in a paper written by Möller, and fellow Google security chaps Thai Duong and Krzysztof Kotowicz.

"If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption," they write in The POODLE Bite: Exploiting The SSL 3.0 Fallback [PDF].

"If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability."

The flaw allows attackers to steal secure HTTP cookies and headers, among other sensitive data. Here's some more detail from the paper:

To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.

A fourth Google security bod, Adam Langley, said the POODLE attack was similar to the 2011 BEAST attack in that it allowed the plucking of plaintext from an encrypted stream, but differed in that it did not require "extensive control of the format of the plaintext" and was therefore more practical to pull off.

"This should be an academic curiosity because SSL 3.0 was deprecated very nearly 15 years ago," Langley said.

"However, the internet is vast and full of bugs. The vastness means that a non-trivial number of SSL 3.0 servers still exist and work-arounds for the bugs mean that an attacker can convince a browser to use SSL 3.0 even when both the browser and server support a more recent version.

"Thus, this attack is widely applicable."

A step-by-step guide to how POODLE attacks work can be found here.

"POODLE allows the hacking of clients – your web browser and such. If Heartbleed or Shellshock merited a 10, then this attack is only around a five," added computer security expert Robert Graham.

"It requires someone to be a man-in-the-middle to exploit. This means you are probably safe from hackers at home, though not safe from the NSA. However, when at the local Starbucks or other unencrypted Wi-Fi, you are in grave danger from this hack.

"What the hacker will try to do is hack your session cookies. That means they won't get your password for your account, but they will be able to log in as you into your account. Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages." ®

The Register - Independent news and views for the tech community. Part of Situation Publishing