We all hear the headline facts about the latest vulnerabilities and bugs that affect our online life, but how often do we read the finer details? The more technically minded readers of our blogs might find the nuts and bolts interesting. With this in mind, I thought I’d take a minute to walk you through the latest exploit, known as POODLE, that affects SSL.
Let’s start with the basics: what is SSL? Well, it’s a protocol that theoretically allows two entities to communicate securely. Secure two-way communications are essential for the modern web: you wouldn’t want to give a website your card details if the information could be picked up by anyone who cared to listen in.
The premise of SSL is one-way authentication and the establishment of a session key that can be used to provide a secure communication session. It uses asymmetric key cryptography (such as RSA) to exchange keys and then symmetric key cryptography (RC4, CBC, etc.) to encrypt the session. It has been widely used to provide secure sessions on top of different protocols, the most common being HTTP which becomes HTTPS.
Say you want to check your account balance online. This might include the following minimal SSL handshake:
Your browser wants to talk with your bank’s server. You do not identify yourself but you provide the highest SSL/TLS version that your browser supports, a list of ciphers that your browser supports and a nonce (Na). A nonce is a number only used once and is used to ensure that old communications cannot be used in a replay attack. The list of ciphers for SSL are expressed like this:
SSL_RSA_WITH_RC4_128_SHARSA is the asymmetric key exchange algorithm, RC4 is the encryption algorithm with 128 bits encryption and SHA is the message authentication code.
Your bank sends back its certificate, its own nonce (Nb), and chooses one of the SSL/TLS versions you support with one of the ciphers you have provided. The certificate is being issued by a Certification Authority which verifies the certificate owner and the public key used.
Your browser chooses another random number (R) and sends it encrypted with the bank’s public key, after having checked its certificate. Your browser also computes the master secret key (K), which is derived from R and the two nonces. Then it sends the Bank a hash of the key, the handshake messages (the nonces), and a string identifying you as the client.
The Bank also computes K, checks the hash sent by your browser, and sends a hash of the key, the handshake messages, and a string identifying it as server.
Communications between you and the bank are now secure. You authenticate with the Bank, but the Bank does not authenticate with you.
A POODLE problem
POODLE stands for Padding Oracle on Downgraded Legacy Encryption. Let's break it down and find out what it actually means. According to Google’s Security Advisory paper, the following conditions must be met to launch a POODLE attack:
The encryption method is SSL v3.0. The POODLE exploit will not work if browsers use the latest TLS encryption instead.
A block cipher in CBC mode is used.
An attacker is able to establish a MiTM attack.
When a block is incomplete, the remaining bits are filled, or padded, until it reaches a fixed length. CBC padding is not deterministic and not verified by the Message Authentication Code and thus its integrity cannot be verified. Padding Oracle attacks allow the attacker to gain knowledge of the plain text without attacking the original block cipher itself.
On Legacy Downgraded Encryption
The highest version of encryption is not always possible for various reasons, such as network problems, bugs, old versions of browsers/servers, or from network attacks. Hence the DLE stands for Downgraded Legacy Encryption. In the case of POODLE, TLS (the latest encryption), is downgraded to SSL v3.0 — an 18-year-old security standard with known cryptographic weaknesses.
TLS to the rescue
TLS is a more recent version of SSL and versions after 1.1 aren't susceptible to the POODLE problem. TLS is more secure because:
- The key derivation is different
- The list of cipher suites is different
- The renegotiation is different
- The message authentication code version is on an earlier version.
Keeping ahead of the game
Most browsers will have SSL v3.0 turned off by default from next month, but in case you don’t auto update, or you just want to be as secure as possible, then here’s how to turn off SSL in your browser.
I would also suggest you disable TLS v1.0, as it has some shortcomings that in the past couple of years have been exploited with the CRIME and BEAST vulnerabilities (although these can be fixed). Unlike later versions of TLS, v1.0 can be downgraded to SSL v3.0, which is why it's important that SSL v3.0 is disabled.
If you haven’t got a vulnerability assessment program in place, now is a good time to start. Within 6 months we had Heartbleed, Shellshock and POODLE. What will be next?