A new attack on the SSLv3 protocol, disclosed Tuesday, takes advantage of an issue within SSLv3 enabling a network attacker to recover the plaintext communications of a victim. The newest attack is considered to be easier to exploit than similar previous attacks launched at SSL/TSL, such as BEAST and CRIME, and could even enable an attacker to retrieve a secure cookie for any given site.
The newest attack known as POODLE was developed by several researchers at Google, including Thai Duong, who was one of the original developers behind the BEAST and CRIME exploits several years ago. POODLE takes advantage of the fact that when a secure connection attempt fails, servers will fall back to older protocols, such as SSLv3, in attempt to once again communicate securely with the remote client, which helps prevent further issues. To engage, an attacker who can trigger a connection failure then has the ability to force the use of SSLv3 and attempt POODLE, the newest attack method.
“To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.,” Google researchers, Duong, Bodo Möller and Krzysztof Kotowicz, said in their security advisory (PDF) on the attack.
According to researcher Matthew Green, an assistant research professor at Johns Hopkins University and a cryptographer, once an attacker has access to the following, it should be about 256 web requests to obtain each byte of a cookie. Exploiting the flaw could take a considerable amount of time if multiple connections are made per minute.
The newest POODLE attack has similar results to the previous BEAST attack developed by researchers Duong and Juliano Rizzo back in 2011, the decryption of sensitive content forced over SSL. Simplified, the attacker can gain access to the plain text communication that was done over a secure connection. The BEAST attack has some differences as it requires some highly specific conditions and the technique is slower than POODLE. One researcher said the requirements to use the POODLE attack are less “onerous.”
The easiest workaround for POODLE is to disable SSLv3 as a whole, but that may cause compatibility issues throughout older browsers. Problems could arise for site operators, who typically wish to support a wide range or protocols to serve a broad range of users. Möller and Google security researcher Adam Langley have forwarded a mechanism known as TLS_FALLBACK_SCSV that prevents fallback attacks in order to address the problem.
“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks,” Möller said in a blog post.
The POODLE attack affects a a wide range of software, included in that list is OpenSSL, which has had more than its fair share of vulnerabilities in the recent months. Möller submitted a patch on Tuesday for the 1.0.1 branch of OpenSSL that adds support for the TLS_FALLBACK_SCSV mechanism to prevent POODLE attacks.
SSLv3 is an obsolete and insecure protocol that is over 15 years old. It’s time for SSLv3 to be discontinued and with the recent disclosure of the POODLE attack, we can hope to see its death in the near future.