Poodle flaw opens encrypted web traffic to attack

News by Tim Ring

Systems admins are being warned of a newly discovered 'industry-wide' bug dubbed 'Poodle' that allows attackers to decode encrypted traffic running over the internet.

The flaw, revealed by a trio of Google researchers on Tuesday, is buried in the 18-year-old version 3.0 of SSL – the protocol that encodes the traffic between web servers and users. Located in SSL 3.0's CBC ‘block cipher padding' system, Poodle (which is short for ‘Padding Oracle On Downgraded Legacy Encryption') allows attackers to decrypt portions of the traffic, which could be anything from webmail to online banking communications.

It's estimated that less than one percent of encrypted internet traffic still uses SSL 3.0, but the researchers – Bodo Möller, Thai Duong and Krzysztof Kotowicz - say attackers could force web browsers back to using SSL 3.0, opening up a much wider range of sites and servers to attack.

Microsoft has admitted that all supported versions of Windows implement SSL 3.0 and so are affected by the vulnerability. But Microsoft says it is an “industry-wide problem”.

Microsoft also accepts that attackers could target systems using newer TLS encryption rather than SSL 3.0, explaining: “In a man-in-the-middle (MITM) attack, an attacker could downgrade an encrypted TLS session forcing clients to use SSL 3.0 and then force the browser to execute malicious code.”

Among web browsers vulnerable to Poodle, the SANS security research body has found in initial tests they include Internet Explorer 11, Safari 7.1 and Chrome 37 running on Windows 7, and Safari 7.1 and Chrome 37 running on OS X 10.9.5 and iOS 8.0.2, as well as Firefox 32 running on IOS 8.0.2.

Assessing Poodle's likely impact, UK cyber expert Alan Woodward, visiting professor at Surrey University's Computing Department and an advisor to Europol, told SCMagazineUK.com: “It's a serious flaw but in terms of HTTPS traffic - secure traffic - probably less than one per cent of that traffic is still using SSL version 3.0. Heartbleed is very exploitable and the numbers of systems affected high and so it's a ‘10'. This is a ‘5'. It is exploitable but the numbers are much lower.”

Woodward said the big problem comes if hackers exploit the trick of pushing people back from TLS encryption to SSL 3.0. “That's the worry – people will work out ways of exploiting it, by forcing you to use an insecure system. It's quite difficult, but people will work out how to do it.”

Robert Graham, CEO of Errata Security, said the main risk with Poodle is users being hacked when on open WiFi networks.

In a 14 October blog post he said: “The hacker needs to be able to tap into the wires between you and the website you are browsing, which is difficult to do. This means you are probably safe from hackers at home, because hackers can't tap backbone links.

“However, when using the local Starbucks or other unencrypted WiFi, you are in grave danger from this hack from hackers sitting at the table next to you.”

Graham added: “What the hacker will likely try to do is hack your session cookies. That means they won't get your password for your account, but they will be able to log in as you into your account, to post tweets in your Twitter account and read all your Gmail messages.

“In theory, the attacker can do much more, but that attacking cookies it the overwhelming most likely vector.”

Microsoft said it “is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers. The attacker must make several hundred HTTPS requests before the attack could be successful.”

To test if your server is vulnerable to Poodle, SANs advises using https://ssltest.com/. To test if your client is vulnerable, it has set up a test page at https://www.poodletest.com. If you can connect, then your client supports SSLv3.

To turn off SSLv3 support in Internet Explorer 11, SANS says use:

Setting -> Internet Options -> Advanced Tab -> Uncheck "SSLv3" under "Security".

Woodward's advice about SSL 3.0 is: “Just turn it off. This really is the final nail in its coffin - I hope. All the sys admins should be turning it off.”

But he added: “If you are going to TLS, preferably don't go to TLS 1 because that has some problems as well. You should be going for 1.1 or above. It may create compatibility problems but there are ways around it.”

Google's Bodo Möller outlines a way round the compatibility problems in a 14 October blog: “Our recommended response is to support TLS_FALLBACK_SCSV. This prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”

More details on TLS_FALLBACK_SCSV can be found here.

Möller said Google Chrome has begun testing changes that disable the fallback to SSL 3.0 and “in the coming months, we hope to remove support for SSL 3.0 completely from our client products”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews