Attacks such as POODLE and BEAST not only caused some sleepless nights for server admins having to patch against the respective weaknesses, but they also accelerated SSLV3 deprecation.
In the time since both attacks were disclosed, major browsers have removed the fallback condition that enabled the attacks, which threaten the confidentiality of encrypted communication, and encryption experts turned up the volume on calls to move to TLS 1.2 as a more secure protocol.
Recently, the Internet Engineering Task Force (IETF) officially declared SSLV3 dead and buried.
An Internet Standards Track document, RFC7568, published this month declares SSLV3 “not sufficiently secure,” and prohibits fallback to SSLv3 in new applications.
Fallback to SSLV3 was the central issue most recently in the POODLE attacks, disclosed last October by researchers at Google, including Thai Duong, who was part of the research team that disclosed the BEAST attacks in 2011. POODLE attacks lead to the recovery of plaintext communication, and are enabled by the fact that when servers fail to securely communicate using TLS 1.2 or a more secure protocol, they would fall back to an older protocol such as SSLv3, which is vulnerable to padding attacks and other exploits. An attacker sitting in a man-in-the-middle position, for example, would have a much easier time decrypting communication over SSLv3. By running crafted JavaScript in the victim’s browser, for example, an attacker would need only 256 web requests to retrieve each byte of a browser cookie, Matthew Green of Johns Hopkins University told Threatpost last year.
“If you assume a couple of dozen connections can be made per minute, that works out to 10 minutes per byte worst case. So it could take a while to run,” said Green.
Since then, Microsoft, Google and Mozilla have taken steps to deprecate SSLv3 in their respective browsers. In February, Microsoft issued an update to Internet Explorers that allowed admins to opt in to blocking SSLv3 fallbacks; eventually, Microsoft said, this will be the default condition.
The IETF document was much more definite in its sentiments toward SSLv3.
“SSLv3 MUST NOT be used,” the document says. “Negotiation of SSLv3 from any version of TLS MUST NOT be permitted. Any version of TLS is more secure than SSLv3, though the highest version available is preferable.”
The document, co-written by Richard Barnes and Martin Thomson of Mozilla, Alfredo Pironti of INRIA, and Adam Langley of Google, explains in detail how broken SSLv3 truly is, covering weaknesses in the record layer, key exchange, custom cryptographic primitives, and explains other areas where it has limited capabilities.
“Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,00}. Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,00}. Any party receiving a Hello message with the protocol version set to {03,00} MUST respond with a “protocol_version” alert message and close the connection,” the document says.
“This entire document aims to improve security by prohibiting the use of a protocol that is not secure.”