Users can disable SSL usage for their web browsers

Oct 15, 2014 08:38 GMT  ·  By

Security experts at Google devised an attack dubbed POODLE which exploits a flaw in the design of Secure Sockets Layer 3.0 that allows extraction of data from HTTP secure connections; this marks the end of the cryptographic protocol because there is no efficient mitigation for the problem.

During a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, the cryptographic security of SSL 3.0 is broken and secure session cookies can be stolen from the victim.

Security relevance of obsolete SSL makes the attack possible

SSL 3.0 has not been a valid protocol for secure client-server communication for a long time, being replaced by TLS (Transport Layer Security); but it is still implemented in websites and web browsers as an alternative to running unencrypted traffic.

Most clients try to use the highest version of the cryptographic protocol implementation they have, but if a server-side bug appears during the handshake, then lower versions of the secure protocol are tried.

A downgrade of the security protocol can also be triggered by an attacker using the man-in-the-middle technique to decrypt secure data byte by byte, according to the security advisory from Google.

This is possible because of a weakness in the cryptographic algorithm (cipher block chaining – CBC) used for encrypting the information.

Given all this, an attacker could use a malicious network device, such as a router or a WiFi hotspot, to trigger a secure protocol downgrade to SSL 3.0 in order to exploit its weakness and reach plain text information sent by victims.

SSL 3.0 needs to be disabled

Although it has been replaced by better, more secure protocols, SSL 3.0 is still available in numerous clients and servers.

All major web browsers have it implemented and the recommendation from their developers is to disable the protocol in order to avoid falling victim to a POODLE attack.

Mozilla will disable the protocol by default in Firefox 34, scheduled for November 25. Until then, the company provides the SSL Version Control extension to mitigate the problem.

Google says that since February, their servers benefit from a mechanism (TLS_FALLBACK_SCSV) that prevents downgrading the secure connection, either to SSL 3.0 or to TLS versions lower than TLS 1.2.

However, clients connect to other servers too, which do not have implemented such protection. In this case, instructing the web browser not to accept SSL can be done manually through the “--ssl-version-min=tls1” parameter.

Internet Explorer 6 is beyond saving, but in newer versions, SSL 3.0 can be disabled from the Advanced tab of the Internet Options menu.

[UPDATE]: Google also implemented TLS_FALLBACK_SCSV in Chrome, which means that the in an attempt to downgrade the security protocol, the server is signaled the preferred cypher suite order of the client. Thus, the server knows if the handshake is the result of a malicious attempt or just an interoperability issue