POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability that enables attackers to gain access to things like passwords, cookies and users private account data on a website. It exploits the outdated SSL 3.0 security protocol.
Says Bodo Möller, Google Security Team, who discovered the exploit along with fellow Googlers Thai Duong and Krzysztof Kotowicz: “SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.”
“SSL security is based on the SSL/TLS protocol,” says security solutions provider Entrust in a blog on the issue. “The protocol has been released as SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS1.1 and TLS 1.2. The first well-deployed version was SSL 3.0. Through the years, the protocol moved to the IETF and the TLS versions were released. SSL 3.0 is an obsolete and insecure protocol; unfortunately, it is still widely deployed on most websites.”
“Firefox uses SSLv3 for only about 0.3% of HTTPS connections,” says Mozilla on the exploit. “That’s a small percentage, but due to the size of the Web, it still amounts to millions of transactions per day.”
This is problematic because, as Möller notes, the exploit forces a site to use the older and insecure version as part of its attach vector. The only way to protect against the exploit is thus to disable SSL 3.0.
“SSL 3.0 is still used for a variety of reasons,” says LAWtrust solutions director Maeson Maherry. “For example, not all clients support TLS – think old web browsers, IE 6 on XP. This might seem foreign to first world countries, with Windows 8 and modern browsers, but such systems are still widely used across the world.
“There are steps to be taken by both end users and hosts,” he adds. “End users can disable SSL 3.0 support in their respective web browsers and other clients. Hosts can disable support for SSL 3.0. In order to prevent downgrade though, both parties must disable support. Hosts can also add the TLS fall-back configuration, a host side configuration for TLS that prevents a downgrade to SSL 3.0.”
Notes Möller: “Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.”
“SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25,” says Mozilla. “The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3.
“Website operators should evaluate their traffic now and disable SSLv3 as soon as compatibility with legacy clients is no longer required (the only remaining browser that does not support TLSv1.0 is Internet Explorer 6),” Mozilla notes. “We realise that many sites still receive traffic from IE6 and cannot disable SSLv3 entirely. Those sites may have to maintain SSLv3 compatibility, and should actively encourage their users to migrate to a more secure browser as soon as possible.”
