October 18, 2014 (Sat): Recently Google announced a new vulnerability in the SSL protocol used for web encryption. The vulnerability can only be triggered in a protocol from the 1990s, which has been replaced by more secure versions yet 98% of all web servers still support using the older protocol. Here is why we should be less worried about backward compatibility and be more concerned with implementing stronger web security protocols.
POODLE, as the vulnerability is called, allows an attacker to gain access to encrypted information, such as session cookies. Once this information is gained an attacker could then masquerade as the user. The attack is achieved by modifying the padding bytes in the Cipher Block Chaining (CBC) algorithms used by SSL. By modifying the padding there is a 1 in 256 chance that it will reveal, one byte of the original message. Over enough sessions an attacker could gain a complete session cookie. This means that an attacker must be capable of performing MitM attacks and that they can force the victim to make thousands of requests. Admittedly, the conditions required to exploit this bug sound a bit improbable however, various malicious scripts could help attackers force multiple sessions so this issue shouldn’t be overlooked.
The vulnerability only exists in the SSLv3 security protocol. SSLv3 has been around since 1996 when it was first introduced to address serious vulnerabilities in SSLv2 and was superseded by TLSv1 in 1999.
The latest official version is TLS 1.2 that was released in 2008 while TLS 1.3 is currently in draft to be release sometime in the near future. All that being said, SSLv3 is almost 15 years old which makes it ancient in cryptography years, yet a recent survey shows that 98% of servers still support it!
Servers still advertise SSLv3 in fear that web browsers don’t support TLSv1 or higher. However, the truth is since 2000 every major browser included support for TLSv1 or better and most have included support for it from their initial release! The latest major browser to be released without TLSv1 support was Opera series 4, released in 2000. The fact that servers are still supporting this is a shame. Are we really worried that someone is still running Windows 95/98/ME? The POODLE vulnerability shouldn’t even be a concern yet it is because servers are supporting this obsolete protocol. Isn’t time we put this old dog to rest?
Tests have shown the impact of disabling SSLv3 to be minimal. Users on Windows XP machines with Internet Explorer 6 saw the largest effect since TLSv1 is disabled by default on unpatched XP computers. However, Internet Explorer 6 browsers account for less then a tenth of a percent of all web traffic we see. Regardless, SSLv3 should be disabled to prevent clients from gaining a false sense of security.
Written by Waylon Grange, Senior Malware Researcher at Blue Coat Systems.