Crypto In The Crosshairs Again

More than 10 percent of servers running one of the newer versions of SSL encryption on the web so far have been found vulnerable to an attack that originally was thought to only affect servers and browsers supporting the older encryption protocol.

It turns out a serious flaw in the nearly 15-year-old SSL 3.0 extends to a newer generation of SSL -- Transport Layer Security (TLS) 1.0, 1.1, and 1.2 -- researchers have found. The so-called POODLE (Padding Oracle On Downgraded Legacy Encryption) attack abuses the bug and could allow man-in-the-middle attacks against a user's encrypted web and other online sessions.

The attack was first revealed in October, prompting security experts to call for disabling SSL 3.0 in browsers and servers, and Google and Mozilla removing the older SSL 3.0 altogether from their browsers. Although SSL encryption on the Net today now employs the newer TLS 1.0 and 1.2, most websites still offer SSL 3.0 mainly to support older client machines and browsers.

Like Heartbleed, the bug is based on an implementation issue, which lately has become the bane of open-source software -- and especially the SSL/TLS encryption protocols.

POODLE's bark may be worse than its bite, however, since it takes a determined attacker to pull off the exploit: An attacker must be physically near his or her target, such as in a coffee shop or other public WiFi location. It forces the use of the vulnerable protocol, and an attacker then injects malicious JavaScript into the victim's browser via code planted on a non-encrypted website the user visits, for instance. Once the user's browser is infected, the attacker wages a man-in-the-middle attack and steals credentials and cookies from the SSL session.

Ivan Ristic, director of engineering at Qualys, says this new POODLE attack affects a smaller number of servers than the SSL 3.0, which affected nearly all servers. "But it's still more than 10% of the web," he says of the TLS systems now vulnerable to POODLE.

The good news is that the latest versions of SSL -- known as Transport Layer Security (TLS) in standards parlance -- are stronger and becoming more streamlined to avoid potential implementation problems like Heartbleed and POODLE.

The Internet Engineering Task Force (IETF) is working on a brand-new version of the encryption protocol, TLS 1.3, which is expected to be completed next year. The new version is all about trimming the fat and keeping the protocol as simple as possible to avoid future implementation errors.

[One of the first steps in making encryption the norm across the Net is an update to the protocol itself and a set of best-practices for using encryption in applications. Read New TLS/SSL Version Ready In 2015.]

Russ Housley, chair of the Internet Architecture Board, says the Internet Engineering Task Force's Using TLS in Applications (UTA) working group's effort in creating best-practices for using TLS in applications, as well as guidance on how certain applications should use the encryption protocol, also should help application developers know when to stop using older security protocols or algorithms that could leave systems vulnerable.

"With the initial POODLE attack against SSLv3, we saw pretty quick reaction among server operators, with about 20% of the servers being fixed within a couple of weeks. This new variation of the POODLE attack is hitting an even larger population of servers, and we hope that the operators are paying more attention," Housley said in an email exchange with Dark Reading.

F5 Networks and A10 Networks have issued advisories and fixes for models of their load balancers that are vulnerable to the new POODLE problem.

Google security engineer Adam Langley said in a post this week confirming the new POODLE problem: "This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken. Thankfully, TLS 1.2 support is about to hit 50% at the time of writing."

TLS 1.2 is immune to POODLE when the AEAD cipher option it offers is deployed.

Qualys's SSL Labs project is offering an online test to check if a server is vulnerable to the new POODLE.