The innocuously named POODLE attack disclosed by a trio of security researchers at Google this week demonstrates how vendor efforts to maintain backward compatibility with old technologies can sometimes backfire in a big way.
POODLE, short for Padding Oracle on Downgraded Legacy Encryption, is an attack that takes advantage of a design weakness in SSLv3, an obsolete piece of encryption software that is still widely used by Web servers around the world.
Attack of the POODLE
Google’s Bodo Möller, Thai Duong and Krzysztof Kotowicz developed the attack to show how attackers could take advantage of the SSLv3 weakness to potentially steal authentication cookies from an Internet user’s browser and use them to access associated email or bank accounts.
POODLE will not allow attackers to steal user passwords, security blogger Robert Graham noted in an Errata Security blog post. However, it will allow them to use stolen session cookies to log in to the user’s online account.
“Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages,” Graham wrote. “These are two examples — they really have near complete control over your accounts.”
The problem stems from the manner in which SSLv3 implements a method known as block ciphering to encrypt whole blocks of data or groups of bits. The vulnerability gives attackers a way to decrypt encrypted communications between a browser and a Web server essentially one byte at a time using repeated browser requests.
Theoretically, the vulnerability should at least be a nonissue for most Internet users because SSLv3 became obsolete some 15 years ago. It has been replaced with a renamed and more secure encryption protocol called Transport Layer Security (TLS). TLS has been refreshed twice since it was first introduced in 1999, and work has already begun on TLS 1.3, the latest revision of the protocol.
Doing the ‘Downgrade Dance’
However, many legacy Web servers still support SSLv3 because many Web users still use old Internet Explorer 6 browsers. When a browser using a newer version of TLS encounters a Web server using SSLv3, the browser will usually automatically revert to using SSLv3, using a process that researchers describe as a “downgrade dance.”
With the POODLE attack, the Google researchers showed how attackers could essentially trick a client browser and Web server into this dance and force them to use SSLv3, even if both sides support the most recent and most secure version of TLS.
“Unfortunately, the attack is more practical than you might think,” Green said. “You should probably disable SSLv3 everywhere you can. Sadly, that’s not so easy for the average end user.”
Disabling SSLv3 on servers could be a major challenge for website operators as well because the move will prevent Internet Explorer 6 users from accessing their sites, the security researchers noted.
However, “disabling SSL 3.0 entirely right away may not be practical if it is needed occasionally to work with legacy systems,” the Google researchers noted in their blog.
Server operators and browser makers should also consider disabling the functionality that allows their products to roll back to SSLv3, they said. Google Chrome, for instance, already uses a mechanism called “TLS_FALLBACK_SCSV” that prevents attackers from downgrading TLS protections.