Taming the POODLE (Padding Oracle On Downgraded Legacy Encryption) using TLS_FALLBACK_SCSV

January 14, 2015 / Network and Security

Poodle attack is an attack in which the eavesdropper/man in the middle (MITI) takes advantages of the recessive compatibility of the server and the client to fall back to SSL 3.0. If the attacker is able to manipulate the server to use the older version of SSL instead of TLS 1.0 and above, then the attacker can carry on the doodle attack and may steal confidential data.

This weak link is exploited because many old version web browsers still support SSL 3.0 which is now become redundant and can no longer be used as an effective security protocol.

What is a Poodle attack?

To understand the Poodle attack we must first understand SSL and TSL. SSL (Secure Sockets Layer) is a protocol used to transfer private encrypted data and it delivers communication security over Internet. It encrypts the data that is sent over the network, using cryptography for confidentiality and a keyed message verification code for message reliability. It operates between the high level application protocol and internet TCP Protocol.

SSL is needed to authenticate the client and the server it establishes encrypted connection between them. Provides security against MITI or eavesdroppers. Two sub-protocols are included in the SSL. They are Record Protocol and handshake protocol. The format in which the data is transferred is known as Record Protocol. The exchange of messages between the server and the client are done using the Record Protocol this refers to be known a Handshake Protocol.

TLS (Transport Layer Security)

Is a Protocol used for maintaining privacy between the user and the application layer. It may be viewed as SSL 3.1 and can be defined as the successor of the SSL. Unlike SSL the TLS make use of HMAC (hash message authentication code), has more alerts codes, Fortezza encryption and key exchange is not supported by TLS.

Does not have Master_secret and Pads in Hash. The Hash is figured over the Handshake message. TLS (Transport Layer Security) also offers a secure channel by encryption of communication over Internet.

The poodle Venerability was brought to light by Google tech security team employees. Bodo Möller, Krzysztof Kotowicz and Thai Duong. A variant to the Poodle attack on the TLS was known on 8 December 2014. The Common Vulnerabilities and Exposures i.e. CVE ID’s are CVE-2014-3566 and CVE-2014-8730.

In this new version of Poodle attack against the TLS is not required to downgrade clients to SSL 3.0. In the Poodle attack against SSL the invader cannot attack from another side of the world like in Heartbleed or shellshock attack. Thus Ivan Ristic does not consider the magnitude of doodle attack as bad Heartbleed or shellshock attack back in April and October 2014 respectively.

In the Poodle attack if the client will indicate to the server to speak or establish a connection using a newer SSL version and Handshake-Protocol which is the client hello, if proposes a version of SSL/TSL which is lower than the version of SSL/TSL supported by the server, the linking that it is trying to establish will be terminated because it assumes that the client is intentional trying to fallback to use previous version of Secure Sockets Layer (e.g. SSL 3.0).

The fix is in the form of introduced patches like TLS_FALLBACK_SCSV. (Signaling-Cipher-Suite-Value) but not all web-browsers support this Cipher Suite. The entire success of the poodle attack depends on the MITI’s ability to steal session cookies and data that is transmitted to and fro over the internet. Messages that are stored in webmail imagine what can happen if tweets and post that are made using your name, all sort of harm etc.

SSL Versions

SSL 1.0: not released publicly and established in early 90’s

SSL 2.0: Emerging web-world initiated its need in 1995

SSL 3.0: A Complete overhaul and solved the bugs in 2.0 versions. Launched in 96

TLS 1.0: great improvements over the previous SSL version though for the interoperability

TLS 1.1: RFC (Request for Comments) from 2006 and enabled with resistance against attacks on earlier versions

TLS 1.2: loads of features for firming up cryptographic implementation from 2008

To keep away the poodle-attack:

– When using SSL 3.0 disable the cipher Block chaining based cipher suite in the either the client or the server

-Disable the SSL 3.0 on client and server side and ensure server as well as client support TSL versions beyond TSL 1.0
– Execution of the TLS_FALLBACK_SCSV on browsers and server side there by quashing the downgrade attack

– Implement Record splitting (anti-POODLE) which fragment records into many parts so that it is not possible to carry out an attack. A problem with splitting is that agreeing to specification it is valid but may cause the compatibility issue in server side management.

It is estimated that around top 1 million domains listed in Alexa nearly 97% of HTTPS enable websites supports SSL 3.0 whereas 0.12% of domains did not support any TLS version

Version SSL / TSL No: of Websites Percentage
HTTP 392,956 41.2%
HTTPS Only 560820 58.8%
Version SSL / TSL No: of Websites Percentage for HTTPS
SSLv3 1,186 0.02%
TLS 1.0 229,001 40.9%
TLS 1.1 3,820 0.7%
TLS 1.2 326,479 58.3%

Google chrome server and the browsers support TLS_FALLBACK_ Signaling-Cipher-Suite-Value. November 2014 chrome 39 made SSL 3.0 Fallback completely inactive. Firefox plans for Firefox 35 to active TLS_FALLBACK_SCVC. Microsoft will disable fallback to SSL 3.0 for protect mode sites in Internet Explorer 11. Safari of Apple removed all support for cipher Block chaining protocols in SSL 3.0 leaving on Rc4 or ARCFOUR which still may be vulnerable to attacks in SSL 3.0

One of the best measures to safeguard is to completely deactivate SSL 3.0 from the server as well as the client and implement the TLS_FALLBACK_SCSV. This is something which should have been done at the beginning of the millennium but the Internet’s old infrastructure is still loaded with poor quality servers, outdated web browsers and load balancers that cannot function without the old version SSL 3.0 so the fallback is still enabled in the new versions.

We have to move beyond this interoperability and changes have to be made by the administrators in the upcoming versions of the browsers as well as the servers. It is also up to us regarding the choice we make to select a good hosting provider. We must keep in mind that instead of finding the solution after being attacked it wiser to take preventative steps to avert being venerable to attacks.

Visit the Webhosting UK website for more news, knowledge base articles, blog posts and information on our wide range of hosting services.

Spread the love

Leave a Reply