POODLE attack on SSL menaces Internet, it’s time to disable it by default

Pierluigi Paganini October 15, 2014

The POODLE against SSL 3.0. A new attack on SSL is threatening the Internet again, it allows bad actors to decrypt traffic over secure channels.

Another critical flaw affects one of the protocols most used to secure Internet traffic, Secure Sockets Layer (SSL) and attacker could exploit the attack dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption) to run a man-in-the-middle.

POODLE attack has been disclosed by the same team of researcher that made public BEAST (2011) and CRIME (2012) attack, the attack could be exploited by bad actor to eavesdrop the victim’s traffic over a secure channel implementing a man-in-the-middle tactic. The vulnerability was documented by the Google security experts Bodo Möller, Thai Duong, and Krzysztof Kotowicz.

The problem is related to the extended support implemented by the majority of Web servers and Web browsers to the SSL version 3 protocol to secure communication channels despite it has been replaced by the Transport Layer Security (TLS). In the following image some statistics related to Alexa Top 1 Million Domains published on https://zmap.io/sslv3/.

POODLE stats

Unfortunately SSLv3, unlike TLS 1.0 or newer, doesn’t perform validation of all data related every message sent over a secure channel, this circumstance allow a bad actor to decipher every single byte at time of the encrypted traffic and see it in clear text.

The official paper on the POODLE attack published by the researcher states:

“To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers.
So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine them selves to SSL 3.0. Encryption in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode. RC4 is well known to have biases [RC4­biases], meaning that if the same secret (such as a password or HTTP cookie) is sent over many connections and thus encrypted with manyRC4 streams, more and more information about it will leak.”

Typical POODLE attacks scenarios see the victim access to a web resource over a protected channel via a bogus Wi-Fi hotspot or a compromised ISP, the attacker then is able to extract data from secure connections.

The key point though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service, and allowing for once-encrypted information to be seen in plain-text.” states a blog post from Sucury

The SSLv3 weakness can be exploited by an attacker to run a man-in-­the-middle attack and to decrypt “secure” HTTP cookies, using the BEAST attack. As explained by the researchers to launch the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), it is necessary to run a JavaScript agent on a compromised server (evil.com (or on http://example.com)).

In a real attack scenario a threat actor could set up a bogus WI-Fi hotspot, which injects a piece of JavaScript on the non secure HTTP connection while on secure HTTP connections, it intercepts the traffic and reorganizes it.

The injected JavaScript force the browser to repeatedly try to load an image from the targeted website (e.g. Banking website), each image request will include the session cookie, and the JavaScript ensures that each of these requests is specifically crafted to ensure that the one byte of the session cookie is placed in a specific position within each SSL message.

The bogus router will then reorganize the SSL message, copying the portion with the session cookie to the end of the message. In many cases the server is not able to decrypt it, causing connection failure, but occasionally (1 in 256 attempts), the message will decrypt successfully allowing the attacker to decipher a single byte of the session cookie.

The malicious JavaScript iterates the process for the different bytes that make up the session cookie, despite most of the time this will result in the connection being broken because it doesn’t decrypt properly, the attacker will be able to reconstruct the session cookie.

As explained by the researchers the TLS 1.0, and newer versions, performs more robust validation of the decrypted data, unfortunately there is no fix for the SSLv3 and for this reason there is no way to mitigate it.

Consider that software like Internet Explorer 6 on Windows XP make use of SSLv3 and are no more supported exposing users to the POODLE attack.

Security experts suggest to disable by default the SSLv3 support at the server, CloudFlare announced that it was implementing this policy for its servers. On client side, users are invited to disable SSLv3 in their browsers. Below the instructions for most popular web browsers published by ArsTechnica.

“Firefox 34 will disable SSLv3 by default. In the meantime, This page has instructions for Internet Explorer and Chrome, and this tells Firefox users what to do. The situation for Chrome is currently a little unsatisfactory, as it uses a command-line switch to disable SSLv3 rather than a setting. If that switch is not used (for example, if the browser is launched by clicking a link in an e-mail rather than through a shortcut) then SSLv3 will remain enabled.”

A test for your browser is available at this link

poodle test

Pierluigi Paganini

(Security Affairs –  POODLE attack, MITM)

you might also like

leave a comment