Peter Bright provided a fantastic writeup on the recent POODLE aka”Padding Oracle On Downgraded Legacy Encryption” attack that could be as he states “the final nail in SSLv3’s coffin”. You can find the original post HERE via the arstechnica.com website.
From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that’s used to secure Internet traffic from eavesdroppers both government and criminal.
Calling the new attack POODLE—that’s “Padding Oracle On Downgraded Legacy Encryption”—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all of whom work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011 and the CRIME attack in 2012.
The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it’s still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.
The malicious router will then reorganize the SSL message, copying the portion with the session cookie to the end of the message. Most of the time, this will result in the data being garbled when the server tries to decrypt it, and the connection will fail. But occasionally, with probability 1 in 256, the message will decrypt successfully, and Mallory will learn a single byte of the session cookie.
This process can continue until Mallory has learned the entire session cookie. She can then do with it whatever evil thing she wants.
TLS 1.0 and newer versions perform more robust validation of the decrypted data and as such are not susceptible to the same problem. But for SSLv3 there’s no fix. The BEAST flaw was in a similar position. It was partially mitigated by switching to different encryption algorithms (though those encryption algorithms have abundant security problems of their own) and some changes to SSL clients to change the way they assembled messages. It may be technically possible to make similar workarounds for POODLE, but much SSLv3-using software, in particular Internet Explorer 6 on Windows XP, is no longer supported or updated. As such, it will be vulnerable forever, adding to the growing laundry list of other flaws that Windows XP is perpetually vulnerable to.
This has led some to say “enough is enough” and disable SSLv3 at the server side entirely. CloudFlareannounced that it was disabling SSLv3 by default from its servers, and it’s likely that others will follow suit. Killing SSLv3 is the only robust protection against SSLv3’s flaws. CloudFlare says that only 0.65 percent of its HTTPS traffic used SSLv3, so disabling the protocol should not prove too onerous.
Web users can, and should, also disable SSLv3 in their browsers. Firefox 34 will disable SSLv3 by default. In the meantime, this page has instructions for Internet Explorer and Chrome, and this tells Firefox users what to do. The situation for Chrome is currently a little unsatisfactory, as it uses a command-line switch to disable SSLv3 rather than a setting. If that switch is not used (for example, if the browser is launched by clicking a link in an e-mail rather than through a shortcut) then SSLv3 will remain enabled.