Dreaded SSLv3 bug no monster, only a POODLE

Hype for the vulnerability in SSLv3 was all bark and little bite

poodle at play
Credit: poodleforum.com

On Tuesday, Google's Bodo Möller, along with fellow researchers Thai Duong and Krzysztof Kotowicz, disclosed the existence of a vulnerability in SSLv3, which allows the plaintext of secure connections to be calculated by an attacker on the network.

While the issue generated some hype late Monday, and most of the day on Tuesday, it turns out that the vulnerability is something that most researchers have speculated / known about for some time.

According to the published advisory, the issue was discovered last month.

Called the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, the problem centers on the fact that, in order to work with legacy servers, most TLS clients will downgrade each time a secure connection attempt (handshake) fails.

In this case, if an attacker controls the network between the client and the server and prevents any connection offering TLS 1.0 or later, the next best option is SSLv3.

 "SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue," wrote Möller.

This problem with SSLv3 has been around for a while, and many experts have called for the removal of SSLv3 because of it.

While it isn't a nightmare scenario, Man-in-the-Middle attacks are still serious problems, and in situations like this they stand a good chance of success because of the weaknesses in SSLv3.

Full details of the attack and how it would work are available in the advisory.

Google's researchers recommend that SSLv3 be disabled in the client or server (even both) in order to prevent this attack, and others that rely on downgraded connections.

"If either side supports only SSL 3.0, then all hope is gone, and a serious update [is] required to avoid insecure encryption," the advisory explains.

However, cutting out SSLv3 entirely and suddenly could cause issues if it's needed for legacy systems. If that's the case, then Google recommends implementing support of TLS_FALLBACK_SCSV.

"This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks," explained Möller.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.