Security

Man bites dog: HTTPS-menacing POODLE is 'hard to exploit' – unless you're on public Wi-Fi

Avoid sketchy pub wireless, warn infosec bods

Analysis Mozilla will ditch support for the insecure SSL 3.0 from Firefox next month, following the discovery of a design flaw in the protocol that allows hackers to hijack victims' online accounts.

SSL v3 will be disabled by default in Firefox 34, due to be released on 25 November. Security experts are unanimous that sysadmins and programmers should drop support for the obsolete encryption tech from servers and applications, but split on the seriousness of the bug.

As we first warned this week, the so-called POODLE vulnerability lies in the still widely used encryption protocol SSL 3.0. Software should be using TLS 1.2 by now for secure and encrypted HTTPS connections.

POODLE, in common with the 2011 BEAST attack, allows a man-in-the-middle eavesdropper to extract session cookies from SSL sessions by forcing the victim's browser into making many thousands of similar requests, giving up clues about the encrypted secrets in the process.

Like ‪Heartbleed‬, ‪POODLE‬ is an information-disclosure bug rather than a code-injection hole. Put simply, the shortcoming leaves encrypted data open to snooping by determined miscreants.

POODLE was discovered by Google engineers, and it stands for Padding Oracle On Downgraded Legacy Encryption. Unlike Heartbleed, POODLE is not OpenSSL specific: it's a cock-up in the protocol's design. Worse yet the flaw is relatively easy to attack using malicious JavaScript.

SSL 3.0 was introduced in 1996, and superseded by TLS in January 1999 – so it's high time to ditch the technology. However, to maintain backwards compatibility with older browsers (cough, Internet Explorer 6), SSL v3 is still widely supported by servers, hence why it's still lurking as a danger today.

Fallback

This is really bad news because it means hackers can force servers to use the unsafe SSL 3.0 protocol rather than TLS, and then exploit the POODLE flaw, as a blog post by Netcraft explains. "As a result of the fallback behaviour in all major browsers, connections to web servers that support both SSL 3 and more modern versions of the protocol are also at risk," it warns. adding that "97 per cent of SSL web servers are likely to be vulnerable to POODLE."

There is no easy workaround or patch: SSL 3.0 needs to be deactivated entirely to stop snoopers compromising HTTPS connections. Details of how to turn off the technology can be found in a blog post by the Internet Storm Centre here.

A number of HTTPS-protected sites have already reacted to this vulnerability by disabling support for SSL 3.0, which may be the best option in a difficult situation. Disabling SSLv3 completely is likely to break Internet Explorer 6.

Ollie Whitehouse, technical director at security consultancy NCC Group, commented: “The recent POODLE vulnerability is arguably not best in show, as it is found in a older version of the security protocol which browsers and servers will not use by default. However, when combined with an active man-in-the-middle downgrade attack this vulnerability could be exploited with relative ease."

Attacks are likely to be already in development, Whitehouse warned.

"We expect tooling to exploit POODLE to be released shortly. Exploitation will be most likely in a malicious Wi-Fi hotspot scenario, or when travelling to a country where there is a risk of active state-driven attacks."

Even after vulnerable computers and servers are patched, the risk from POODLE will still be there thanks to vulnerable networking gear and Internet-of-Things devices that cannot be easily patched to drop SSL v3 support, if at all.

"The long tail of POODLE will be all of the non-browser applications using SSL for transport encryption and hardcoded for SSLv3," noted Metasploit founder HD Moore in an update to his personal Twitter account.

Dreaded SSLv3 bug is only a POODLE

However other security experts disagree that the bug is particularly serious, highlighting factors that may make it difficult to exploit reliably in practice.

“The attack strives to hijack sessions by extracting SSL-protected session cookies," said Itsik Mantin, a security researcher at Imperva. "The attack works on SSL 3.0, which is rarely used today, but the attacker can downgrade the SSL version to SSL 3.0 and then mount the attack.

“It is important to note that encryption algorithms were not designed to protect data in the case of an attacker that can mix insecure modifiable data (request URL and parameters, an insecure cookie, etc) with secure data (such as the session cookie), which is exactly the way SSL uses these algorithms. BEAST and CRIME were patched, but similarly to them POODLE relies on this usage mode to mount another attack in the row."

He concluded: “The conditions that are required for the attack to be applicable are hard to obtain. In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa."

Gavin Millard, EMEA technical director at Tenable Network Security, explained: “Whilst POODLE could be seen as an important vulnerability, affecting an encryption standard that still remains in common browsers for backwards compatibility, the reality is it’s difficult to exploit and requires same network access to systems that are vulnerable to the downgrade. Whilst it’s true that if successfully used, a malicious attacker could expose private data leading to further exploitation, POODLE is far from the severity of recent bugs like Heartbleed or Shellshock."

Millard went on the suggest that POODLE may actually be beneficial by encouraging sysadmins types to ditch support the the aging protocol.

"Hopefully the response from system owners and browser vendors will be the disabling of backward compatibility with SSL 3.0, rather than trying to patch or fix through configuration change. POODLE could be a welcome death blow to an ancient standard, forcing the move towards better encryption for the few that still use it to benefit the many that don’t,” Millard added.

Sergey Lozhkin, a security expert at security firm Kaspersky Lab, suggests that the vulnerability wouldn't be much use away from Wi-Fi hotspots in locations such as hotels, airports and coffee shops.

"The protocol is very popular and exploitation of this vulnerability could expose private data, but only if an attacker successfully performed a complicated Man-in-the-Middle (MitM) attack," Lozhkin said.

"Generally this is far from simple, except when connections between the user and the web are unprotected. Internet connections via public Wi-Fi without password protection are one of the main situations where attackers can readily launch MitM attacks on ordinary users."

Of course, one should always use a secure VPN over public Wi-Fi: just make sure it's not using SSL 3.0, just in case.

The original paper on the POODLE SSL attack is here as a PDF. A widely praised technical write-up on ‪POODLE‬ by Google engineer Adam Langley‪ can be found here.‬

Folks can test if their browser is vulnerable to the POODLE vulnerability here. ®

Sponsored: Accelerated Computing and the Democratization of Supercomputing