Security Experts:

Will POODLE's Bite Kill SSL 3.0?

Researchers have disclosed a design flaw (CVE-2014-3566) in SSL 3.0 which lets attackers extract session cookies and other secrets from encrypted online communications.

The good news is that security experts believe the seriousness of the flaw is tempered by the overall difficulty in exploiting the issue. The even better news is the resulting publicity could hasten the demise of SSL 3.0 as products finally stop using the 15-year old security protocol.

"This vulnerability allows the plaintext of secure connections to be calculated by a network attacker," Google researcher Bodo Möller wrote on the Google Online Security Team blog Tuesday afternoon. In other words, an attacker can retrieve a supposedly secure cookie for a given site.

Möller and two other Google researchers, Thai Duong and Krzysztof Kotowicz, outlined the details of Padding Oracle On Downgraded Legacy Encryption (POODLE) in a security advisory posted on OpenSSL.org. Much like the BEAST attack against Apache servers publicized by Duong a few years ago, Poodle relies on man-in-the-middle attacks to break SSL sessions. However, unlike BEAST, which requires Java applets, Poodle is much easier to launch as it uses Javascript.

There were rumblings among the security community earlier this week about the forthcoming disclosure of a serious vulnerability in the Secure Sockets Layer protocol. When Google researchers Thai Duong, Möller, and Krzysztof Kotowicz finally posted the details of the flaw on Google's Online Security Team's blog Tuesday afternoon, it was clear the vulnerability, while widespread, was not brand-new.Poodle centers on an issue security researchers have speculated about for quite some time.

"Poodle is the latest in a long line of similar attacks against known weaknesses in SSL's use of cipher block chaining (CBC)," Daniel Franke, a security researcher at Akamai, wrote in a detailed discussion historical mistakes which allow Poodle to work.

Offering Backward Compatibility

SSL 3.0 was replaced by Transport Layer Security (TLS) back in 1999, and most modern servers and applications nowadays use TLS 1.1 or 1.2 to protect data in transit on the Internet. Why then, would SSL 3.0 still be a matter of concern? SSL 3.0 remains widely supported in order to be backwards compatible with legacy systems. Websites that still support Internet Explorer 6 use SSL 3.0, for example. Even though many modern applications disable SSL 3.0 by default, many administrators had to enable it to support Windows XP and other clients.

And Poodle takes advantage of the fact that clients—Web browsers included—will downgrade to the older, less secure, protocol to maintain secure connections with legacy servers. In a normal secure session, the server and the client establish a secure connection with a protocol handshake. If the attempt to create a secure connection fails, then the client fallbacks to the older protocol to finish creating the connection. The downgrade can be triggered by network glitches as well as active attackers.

“To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions," Duong, Kotowicz, and Möller wrote in the advisory.

About 97 percent of SSL Web servers are likely to be vulnerable to Poodle attacks, Netcraft estimated. Even if TLS is present, Poodle can force the client can to use SSL 3.0 instead, making the scope of the vulnerability very broad. The Qualys SSL Labs test is a good way to find out all the different SSL implementation details supported by a given site.

Even though Internet Explorer 6 is not as visible as it used to be, "there are a whole heap" of sites built during the browser's heyday and still support SSL 3.0, notes security researcher Troy Hunt.

Poodle Requires MitM

Even though Poodle is considered to be easier to exploit than the older BEAST or CRIME attacks, it's still a multi-stage attack that requires all the pieces to be in place first. In order to launch a Poodle attack, the adversary first needs to set up a man-in-the-middle attack to grab control of the network and the victim's Internet connection. One example is setting up a malicious Wi-Fi access point in a public location such as a café. The attackers will also need to be able to run Javascript code inside the victim's browser, which can be done by tricking the victim into visiting a specially crafted Website.

"It [Poodle] requires someone to be a man-in-the-middle to exploit. This means you are probably safe from hackers at home, though not safe from the NSA. However, when at the local Starbucks or other unencrypted Wi-Fi, you are in grave danger from this hack," wrote Errata Security's Robert Graham.

It's also important to note that Poodle exposes session cookies. The attackers won't get the user's password to email accounts or other online services, but will still be able to log in as the user so long as the session cookie is valid. "Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages," Graham said.

Once the attacker is correctly positioned in the network, session hijacking attacks against web applications are "reasonably feasible," Netcraft's Robert Duncan noted. A typical 32-byte session cookie could be retrieved after eavesdropping just over 8,000 HTTPS requests using SSL 3, he estimated.

"The SSLv3 POODLE attack is probably not going to be widely exploited as Shellshock or Heartbleed, because it requires the attacker to control parts of the network," said Aviv Raff, CTO and co-founder of Seculert.

Disabling SSL 3.0 Outright

There is a simple fix: disable SSL 3.0 outright on both server and client sides and use TLS only. Ideally, sites should disable SSL 3.0, says Ivan Ristic, director of engineering at Qualys. Carrying it out is going to cause some things to break first, though.

Doing so would result in "significant compatibility problems" with older browsers and servers, especially Internet Explorer 6, Möller said. Google has scrubbed SSL 3.0 support from its flagship Chrome browser, and the company is in the process of removing it from other products, he said.

"You could pretty much kill it in most places today, but you’ve also got to remember that there are a heap of other clients out there talking over HTTPS which may depend on falling back to SSL 3.0. I’m not sure, for example, if some early generation smart TVs will simply stop working if TLS is required by the server. It’s the uncertainty that keeps these early generation technologies alive," Hunt said

Many companies have hesitated to disable SSL 3.0 outright, but Poodle may make the decision much easier. CloudFlare announced it has disabled SSL 3.0, and that this would adversely impact a mere 0.09 percent of their traffic.

"Apparently they are comfortable with breaking IE6—which is good guidance for other people considering the same," Graham wrote.

Microsoft posted an advisory with instructions on disabling SSL 3.0 from Windows desktops and servers. Users can disable SSL 3.0 on Internet Explorer by un-checking the box in the Advanced tab under Internet Options. Twitter's security team also posed on the micro-blogging site that SSL 3.0 has been disabled and users should restart their browsers. Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on Nov. 25.

"SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible." Users can pre-emptively disable SSL 3.0 by going to about.config on Firefox, search for "security.enable," and set the ssl3 value to false.

Hunt noted that Poodle is a perfect example of why it's important to keep software current. "What is 'fine' today can be suddenly broken beyond repair tomorrow," he wrote. "If you’re running IE 6 today (yes, there are still some) and you don’t have a choice in upgrading because 'reasons', you’re stuffed."

For cases where SSL 3.0 can't be disabled, there is TLS_FALLBACK_SCSV. This mechanism, supported on Chrome and Google servers since February, prevents attackers downgrading to SSL 3.0 without breaking the TLS connection. Moller on Tuesday submitted a patch for the 1.0.1 branch of OpenSSL to add support for TLS_FALLBACK_SCSV.

"So Poodle should put a stake most of the way through SSL’s heart, and SCSV will help us keep it there. Long live TLS," Andy Ellis, CSO of Akamai wrote.

Poodle Isn't BEAST or a Nightmare

Poodle's attack surface is more towards clients, or users using browsers in public or guest networks, while Shellshock and Heartbleed were server-side issues, Raff noted. It isn't quite a network administrator nightmare on the scale of Shellshock and Heartbleed, and users can actually do something to protect themselves.

Heartbleed and Shellshock were remote exploits where attackers can launch attacks from anywhere in the world. Poodle reduces the geographic area since the attacker has to first launch a man-in-the-middle attack. The biggest risks comes from those "who control internet infrastructure," Hunt noted. For example, the Iranian government used forged certificates from DigiNotar a few years ago to intercept all Internet traffic within Iran.

"Poodle allows the hacking of clients – your web browser and such. If Heartbleed or Shellshock merited a 10, then this attack is only around a five," added Graham.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.