POODLE Attacks, Kills Off SSL 3.0

  /     /     /  
Publicated : 22/11/2024   Category : security


POODLE Attacks, Kills Off SSL 3.0


A newly discovered design flaw in an older version of SSL encryption protocol could be used for man-in-the-middle attacks -- leading some browser vendors to remove SSL 3.0 for good.



Disable SSL 3.0 in browsers and servers: Thats the recommendation of security experts in the wake of the discovery of a serious flaw in the nearly 15-year-old version of the encryption protocol. The flaw could allow an attacker to wage a man-in-the-middle attack against a user.
Google researchers announced late yesterday that they had discovered a vulnerability (CVE-2014-3566) in the older SSL (version 3) that could allow man-in-the-middle attacks on a users encrypted web and other communications sessions. However, the so-called
POODLE
(Padding Oracle On Downgraded Legacy Encryption) attack would be tough to pull off, and the most likely scenario would be a determined attacker targeting a user or group of users, security experts say.
SSL 3.0 was replaced long ago by the newer Transport Layer Services (TLS) versions 1.0 and 1.2 in most SSL implementations, but the older version has been kept around mainly to support older client machines and legacy applications. Google now plans to remove SSL 3.0 altogether from its client software, including the Chrome browser, in the coming months.
Mozilla says it will do so with Firefox
on Nov. 25. According to some estimates, around 98% of websites still support SSL 3.0 for backward compatibility to older client machines and browsers.
But this is no Heartbleed vulnerability moment.
Its not as bad as Heartbleed, but its certainly real, says Dan Kaminsky, chief scientist at WhiteOps. The threat isnt fixable without disabling SSL 3.0, but TLS has been out a long time, and the number of clients that cant speak it is small.
Ivan Ristic, director of engineering at Qualys and an SSL expert, concurs that POODLE is no Heartbleed. Its a big problem, but its not the end of the world, he says. This is not an easy attack to carry out. Its an elaborate attack… There is a lot for the attacker to do to make it successful. The question is whats the motivation to execute it.
According to security experts, the good news about POODLE is that it has sounded the death knell for the older version of the SSL protocol for encrypted communications. Its very difficult to kill off old protocols, Ristic says. Its very good to see browser vendors and websites getting rid of SSL 3.0 because of it.
Google Security Team member Bodo Moller
revealed the flaw
in a blog post late yesterday after a flurry of industry speculation over whether yet another big Internet bug was in the wings. Most browsers are affected by the flaw, because they still support SSL 3.0, and Google says it supports a mechanism called TLS-FALLBACK-SCSV that would prevent an attacker from exploiting the SSL 3.0 flaw, he wrote. Some websites will break as Google disables SSL 3.0, so those sites will need to be updated quickly to drop SSL 3.0 support.
The attack can occur thanks to the support of SSL 3.0, and it is possible only when both a client and server include support for SSL 3.0. POODLE basically forces the use of SSL 3.0, which it then exploits. The attack would work like this: An attacker injects malicious JavaScript into the victims browser, via code planted on a non-encrypted website the user visits, for example. Once the browser is infected, the attacker can execute a man-in-the middle attack, ultimately grabbing the victims cookies and credentials from the secured web session.
This is an attack on the client, Ristic says. Its similar to the BEAST man-in-the-middle attack from 2011. POODLE has been known for a long time in one way or another. It was ignored because no one could see how it could be exploited until now.
Karl Sigler, threat intelligence manager for Trustwave, notes that POODLE can work only if the victim is actively online and the attacker is physically near him or her, such as in a coffee shop or somewhere with public WiFi.
SSL-based VPN client software is not likely affected by POODLE, however. Ristic says he doesnt think the attack could be exploited on a VPN client. And I wouldnt expect a modern VPN client to use SSL 3.0, anyway.
So why have SSL 3.0 at all? It has been kept alive mainly to support older client systems, such as Windows XP and Internet Explorer 6. The catch with disabling SSL 3.0, of course, is that IE6 users would be cut off -- something that is more of an issue overseas than in the US.
Meanwhile,
SANS Internet Storm Center
has set up an
online POODLE test
to see if your browser is vulnerable: A poodle pops up with a bubble screaming Vulnerable! if you are, and a Springfield terrier character pops up if youre not.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
POODLE Attacks, Kills Off SSL 3.0