SSL and TLS protocols were discovered to maintain secure communication. But even with such high-end security, we have faced security breaches. This flaw in data that came to light in the year 2014, was termed a POODLE attack. This article will focus on what a POODLE attack is, how it works, and in what ways can it be mitigated.
What is a POODLE attack?
POODLE is shorthand for Padding Oracle On Downgraded Legacy Encryption. Back in 2014, the security team at Google found that data flowing through encrypted channels are also prone to attack. The CVE of the original POODLE attack was CVE-2014-3566.
In this, the attacker steals information flowing through a secured SSL (Secured Socket Layer) connection and decrypts it. In general, this attack applies only to SSL 3.0 and lower versions. The Transfer Layer Protocol (TLS) introduced in the year 1999 is free from such vulnerabilities.
An attacker inserts itself within the communication session of the server and the client and degrades the browser to fall back to the SSL 3.0 version. This older version is easily vulnerable to attack and lets the attacker decrypt the sent data. SSL attack has become common in recent years.
Risk factors associated with a POODLE attack
POODLE attack has two parts- the first is the man-in-the-middle attack and the second is the padding oracle attack. Once an attacker is successful in launching both these attacks, he/she can easily decipher the data sent over the communication link.
POODLE vulnerability is faced in such scenarios and the attacker can conveniently reveal the sensitive information and data of an individual or corporate. They breach the passwords, session cookies, and credit card data.
They harm the individuals by making them lose money and personal details. Corporate firms are vulnerable to such attacks by losing their data and falling prey to a ransomware attack.
How does a POODLE attack work?
Before we dig deep into the technicalities of POODLE attack, let us take a step-by-step summarized tour of how POODLE attack is executed:
- The MITM attack opens the doors for the attacker to eavesdrop on the client and server communication link. He can even interrupt and add traffic to the website. The communication is still running in the encrypted form and to read through the data the attacker degrades the server to the SSL 3.0 version and exploit it.
- The padding oracle attack is executed on successfully switching to the SSL 3.0. This switch is done through the downgrade dance protocol.
- SSL 3.0 padding is exploited to recover the ciphertext by sending numerous cookies request to the server.
- The server responses are monitored continuously, upon varying inputs which results in recovering the content by the attacker. Remember that byte-by-byte recovery is done.
Now since we are clear with the out an out summary of the POODLE attack, let us get a detailed understanding of the technical parts of the POODLE attack.
Technical Parts of The POODLE Attack
The downgrade dance
The downgrade dance or what we commonly know as the downgrade attack exploits the protocol version negotiation feature that is present in the TLS and SSL protocols.
The attacker forces the server to downgrade to the SSL 3.0 version of the protocol making it susceptible to attack. This downfall is achieved by continuously making attempts to establish a secure connection with the server and then dropping the connection. The repeated drop in connection leads the server to fall back to the older version.
Block ciphers and CBC encryption
Cipher suites are a set of encryption algorithms used by servers and browsers with TLS and SSL protocols. They further have block ciphers such as Advanced Encryption Standard (AES) and Data Encryption Standard (DES).
The block cipher encrypts data in the form of blocks of fixed size (i.e. 8 bytes or 16 bytes). If the data is not enough padding is added to ensure that the block size is fixed.
Cipher Block Chain (CBC) encryption is applied to cipher suits that can fall prey to the POODLE attack. In CBC the plain text is padded and formed into blocks of fixed size.
The first block is XORed with a random initialization vector (IV), to generate an intermediary value. The intermediary value is encrypted in block cipher to form ciphertext. The ciphertext now acts as an IV to the next block, which is XORed with padded plain text.
Padding oracle and CBC security vulnerability
In SSL 3.0, CBC is used and there is no mention of padding bytes and they are not even checked. The only requirement is that the padding length mentioned must be correct. Also, SSL 3.0 uses MAC-then-encrypt, the padding or padding block is not secure as MAC is calculated before padding and encryption. The attackers use this point to create a padding oracle attack.
The possessed encrypted data is attempted to be deciphered by the attacker, who sends a request that is a multiple of block size. The request is sent to the server in an attempt to guess the value correctly.
The server then responds by confirming or declining the request, depending on the value being correct or incorrect. Using XOR, the attacker can then combine the decrypted byte with the previous block, revealing the plaintext last byte. By repeating this operation, they can guess the cookie byte-by-byte.
How can you prevent a POODLE attack?
There is no definite workaround that can fully resolve the POODLE attack. The only mitigation technique that stands strong in front of a POODLE attack is eliminating the use of the SSL 3.0 protocol. This preventive measure can be implemented through three different stages.
You need to disable SSL 3.0 support from your browser. The internet is flooded with methods that work on different variants of the browser and showcases methods to disable SSL 3.0.
A similar procedure goes for the web server as well. You need to disable the support of the SSL 3.0 version from your web server. For every possible server, there is server documentation which you need to refer to disable SSL 3.0
A TLS 1.2 or higher version must be enabled on both the server and browser sides. In addition to these ideal protocols, make sure to enable the TLS_FALLBACK_SCSV. This is the extension of the normal TLS version that makes sure that the protocol does not fall back to the SSL 3.0 version.
The TLS_FALLBACK_SCSV all in all avoids the forced degradation of the SSL or TLS protocols to the SSL 3.0 version, which in turn eradicates the chances of a POODLE attack.
Recommended Reading :