'POODLE' Attacks, Kills Off SSL 3.0

A newly discovered design flaw in an older version of SSL encryption protocol could be used for man-in-the-middle attacks -- leading some browser vendors to remove SSL 3.0 for good.

Disable SSL 3.0 in browsers and servers: That's the recommendation of security experts in the wake of the discovery of a serious flaw in the nearly 15-year-old version of the encryption protocol. The flaw could allow an attacker to wage a man-in-the-middle attack against a user.

Google researchers announced late yesterday that they had discovered a vulnerability (CVE-2014-3566) in the older SSL (version 3) that could allow man-in-the-middle attacks on a user's encrypted web and other communications sessions. However, the so-called POODLE (Padding Oracle On Downgraded Legacy Encryption) attack would be tough to pull off, and the most likely scenario would be a determined attacker targeting a user or group of users, security experts say.

SSL 3.0 was replaced long ago by the newer Transport Layer Services (TLS) versions 1.0 and 1.2 in most SSL implementations, but the older version has been kept around mainly to support older client machines and legacy applications. Google now plans to remove SSL 3.0 altogether from its client software, including the Chrome browser, in the coming months. Mozilla says it will do so with Firefox on Nov. 25. According to some estimates, around 98% of websites still support SSL 3.0 for backward compatibility to older client machines and browsers.

But this is no Heartbleed vulnerability moment.

"It's not as bad as Heartbleed, but it's certainly real," says Dan Kaminsky, chief scientist at WhiteOps. The threat isn't fixable without disabling SSL 3.0, "but TLS has been out a long time, and the number of clients that can't speak it is small."

Ivan Ristic, director of engineering at Qualys and an SSL expert, concurs that POODLE is no Heartbleed. "It's a big problem, but it's not the end of the world," he says. "This is not an easy attack to carry out. It's an elaborate attack… There is a lot for the attacker to do to make it successful. The question is what's the motivation" to execute it.

According to security experts, the good news about POODLE is that it has sounded the death knell for the older version of the SSL protocol for encrypted communications. "It's very difficult to kill off old protocols," Ristic says. "It's very good to see" browser vendors and websites getting rid of SSL 3.0 because of it.

Google Security Team member Bodo Moller revealed the flaw in a blog post late yesterday after a flurry of industry speculation over whether yet another big Internet bug was in the wings. Most browsers are affected by the flaw, because they still support SSL 3.0, and Google says it supports a mechanism called TLS-FALLBACK-SCSV that would prevent an attacker from exploiting the SSL 3.0 flaw, he wrote. Some websites will break as Google disables SSL 3.0, so those sites "will need to be updated quickly" to drop SSL 3.0 support.

The attack can occur thanks to the support of SSL 3.0, and it is possible only when both a client and server include support for SSL 3.0. POODLE basically forces the use of SSL 3.0, which it then exploits. The attack would work like this: An attacker injects malicious JavaScript into the victim's browser, via code planted on a non-encrypted website the user visits, for example. Once the browser is infected, the attacker can execute a man-in-the middle attack, ultimately grabbing the victim's cookies and credentials from the secured web session.

"This is an attack on the client," Ristic says. It's similar to the BEAST man-in-the-middle attack from 2011. POODLE "has been known for a long time in one way or another. It was ignored because no one could see how it could be exploited" until now.

Karl Sigler, threat intelligence manager for Trustwave, notes that POODLE can work only if the victim is actively online and the attacker is physically near him or her, such as in a coffee shop or somewhere with public WiFi.

SSL-based VPN client software is not likely affected by POODLE, however. Ristic says he doesn't think the attack could be exploited on a VPN client. "And I wouldn't expect a modern VPN client to use SSL 3.0, anyway."

So why have SSL 3.0 at all? It has been kept alive mainly to support older client systems, such as Windows XP and Internet Explorer 6. The catch with disabling SSL 3.0, of course, is that IE6 users would be cut off -- something that is more of an issue overseas than in the US.

Meanwhile, SANS Internet Storm Center has set up an online POODLE test to see if your browser is vulnerable: A poodle pops up with a bubble screaming "Vulnerable!" if you are, and a Springfield terrier character pops up if you're not.

Recommended Reading: