POODLE vulnerability: The end of life of SSL 3.0

There is a critical security vulnerability in SSL 3.0 which allows attackers to calculate the plaintext of encrypted connections, and it will likely spell the end of the use of this particular SSL version.

The vulnerability (CVE­-2014-3566), discovered by Google security researchers and dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), is in the design of the protocol.

The researchers explained in great technical detail why the flaw exists and how it can be exploited, but here is it in short:

Given that support for SSL 3.0 remains widespread, an attacker that controls the network between the client and the server can exploit the protocol downgrade dance implemented by many clients in order to force the use of SSL 3.0. The POODLE vulnerability, caused by a weakness in the CBC encryption algorithm used in SSL 3.0, allows a man-in-the-middle attacker to intercept HTTPS traffic between the client and server, and decrypt portions of it (for example, authentication cookies).

Microsoft points out that the vulnerability is mitigated by the fact that the attacker must make several hundred HTTPS requests before the attack could be successful, but the best option for everyone is to switch to using TLS 1.0, TLS 1.1, or TLS 1.2 instead of SSL 3.0.

“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today,” noted Bodo M?¶ller, one of the researchers who discovered the vulnerability.

“Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”

Google already suports the TLS_FALLBACK_SCSV fallback on Google Chrome and its servers, and says that it definitely does not create compatibility problems.

SANS ISC CTO Johannes Ullrich also says that they best thing to do is to disable SSL 3.0.

“There is no patch for this. SSLv3 has reached the end of its useful life and should be retired,” he advised. “This isn’t a ‘patch now’. Give it some time, test it carefully, but get going with it. The other problem is that this is a client and a server issue. You need to disable SSLv3 on either. Start with the servers for highest impact, but then see what you can do about clients.”

To fix the SSL/TLS version selection fallback issue, he also advises to implementation of TLS_FALLBACK_SCSV fallback.

If you want to check whether your server or client is vulnerable, SANS ISC offers links to pages that allow you to do it easily.

“This attack is serious but not necessarily as severe as Heartbleed or ShellShock because it requires what we call man-in-the-middle, meaning that it is difficult for an attacker to pull off unless they already have access to your network or if they are on an open, public wireless connection (hotels, in-flight Internet, Starbucks, etc.),” commented Greg Martin, CTO at ThreatStream.

“What can you do to protect yourself from the Poodle attack? Download the newest version of your browser software, mobile OS and for companies, disabling vulnerable versions of SSLv3 which were publicized in the Google disclosure.”