A new attack on the SSLv3 protocol, disclosed Tuesday, takes advantage of an issue with the protocol that enables a network attacker to recover the plaintext communications of a victim. The attack is considered easier to exploit than similar previous attacks against SSL/TLS, such as BEAST and CRIME, and can enable an attacker to retrieve a supposedly secure cookie for a given site.
The attack is known as POODLE and was developed by several researchers at Google, including Thai Duong, who was part of the duo who developed the BEAST and CRIME attacks several years ago. The technique takes advantage of the fact that when a secure connection attempt fails, servers will fall back to older protocols, such as SSLv3, in an attempt to communicate securely with the remote client. An attacker who can trigger a connection failure can then force the use of SSLv3 and attempt the new attack.
“To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.,” the researchers, Duong, Bodo Moller and Krzysztof Kotowicz, say in their advisory on the attack.
In order to execute the attack, an adversary would need to have control of the victim’s Internet connection and have the ability to run some Javascript inside the victim’s browser.
“Once you get those conditions, it should be about 256 web requests to obtain each byte of the cookie. If you assume a couple of dozen connections can be made per minute, that works out to 10 minutes per byte worst case. So it could take a while to run,” said Matthew Green, an assistant research professor at Johns Hopkins University and a cryptographer.
The new attack has a similar result to the BEAST attack developed by Duong and Juliano Rizzo in 2011: the decryption of protected sensitive content. The use of the BEAST attack requires some highly specific conditions and the technique is slower than POODLE. Green said that the requirements to use the POODLE attack are less onerous.
“What makes it worse than BEAST is two things: One, It’s not as easy to fix as BEAST was on TLS. Two, it doesn’t require you to be running a Java applet the way you needed to with BEAST. You can probably execute the attack with a piece of Javascript,” Green said.
The easiest fix for the new attack is to disable SSLv3, but that has compatibility implications for browsers, especially older ones. That could lead to problems for site operators, who typically want to support a wide range of protocols in order to serve a broad range of users. To address the problem, Moller and fellow Google security researcher Adam Langley have forwarded a mechanism known as TLS_FALLBACK_SCSV that prevents fallback attacks.
“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks,” Moller wrote in a blog post.
The new attack affects a wide range of software, including OpenSSL, which has had more than its share of issues in recent months. Moller on Tuesday submitted a patch for the 1.0.1 branch of OpenSSL that adds support for the TLS_FALLBACK_SCSV mechanism.
Green said that the death of SSLv3, which is 15 years old, is long overdue and that the disclosure of the POODLE attack should hasten that end.
“The only reliable fix is to disable SSLv3 completely on servers and on clients. People should have done this long ago, but it appears that if you do this you break big swaths of the Internet. So we’ll have to see what actions sites and browser vendors take now,” he said.