POODLE Attack on SSL 3.0
May 28, 2015 | POSTED BY STEVEN ANDERSON IN ENCRYPTION
The POODLE attack or "Padding Oracle On Downgraded Legacy Encryption" is a fairly recent attack that takes advantage of both the backwards compatibility integrated into SSL/TLS protocols and the means by which SSL/TLS protocols are negotiated. Its purpose is to force a downgrade from TLS 1.0/1.1/1.2 to SSL 3.0, which has an inherent flaw that allows for an actor to decrypt a client-side cookie containing authentication data.
The Negotiation Phase
During the negotiation phase of protocol selection, the client sends a "ClientHello" to the server along with a requested protocol version number. The server then responds with a "ServerHello" and the version number of the protocol it is capable of using. If the client's requested version number matches what the server can use, communication begins. If it does not, and the server's protocol is lower than the client's request, the client decides whether or not it is willing to downgrade to the server's version. If it is not, the communication ends with a security validation error. If it is willing, communication begins with the decided upon version.
During the negotiation phase, POODLE requests SSL 3.0 rather than TLS 1.0/1.1/1.2. If the other end approves the connection, then the attacker is able to use this interoperability feature to eventually decrypt the website authentication cookie. The attacker only needs to make on average 256 SSL 3.0 requests per byte of data. Approximately once every 256 requests, one request will get approved by the server, revealing one byte of the cookie. The attacker then shifts that cookie's data and repeats the attack until every byte of the cookie has been discovered. This is possible due to the way blocks of data are encrypted within SSL 3.0. The most common implementation of this attack is performed as a man-in-the-middle attack.
The likelihood that this specific vulnerability presents a threat to you is low because although this vulnerability has existed for a long time, there are no recorded incidents of its exploitation; it takes man-in-the-middle access, a lot of time, and ultimately a lot of effort. Unless you are a high-profile entity, you will probably never see it in use.
The moral of the story, however, is still quite important: keep a close eye on the encryption algorithms you are using. It is easy to assume you are protected because you are using encryption, but if you are using an encryption algorithm with known weaknesses you could be introducing an undetermined level of risk to your environment.
Here are some steps you can take to mitigate risk associated with POODLE:
- ? NOTE: There is currently no "fix" for this vulnerability in that the feature being taken advantage of serves a necessary purpose: the interoperability of legacy software.
- ? If possible, disable SSL 3.0 on devices to prevent protocol downgrade. (This action may cause compatibility issues with other systems/software.)
- ? On the server side OpenSSL should be upgraded to the latest versions.