Few things can be kept secret within computer security, and it has been the case with a flaw in SSLv3, where there were rumours of a forthcoming announcement. So it happened on Tuesday 14 October 2014 that Bodo Möller (along with Thai Duong and Krzysztof Kotowicz) from Google announced a vulnerability in SSLv3, and where the plaintext of the encrypted content could be revealed by an intruder. The flaw itself has been speculated on for a while, and this latest announcement shows that it can actually be used to compromise secure communications. The vulnerability was discovered last month, and named POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, and it relates with the method that Web servers deal with older versions of the SSL (Secure Socket Layer) protocol.
Figure 1 outlines how network protocols fit together, where we use
insecure protocols such as HTTP, TCP and IP to communicate with a Web
site. Each of these protocols were designed at a time when security was
not an issue on systems. The fix to improve security was to insert a
layer between the network layer (IP) and the transport layer (TCP), and
is named SSL. This later secures the upper level protocol, and creates a
secure and encrypted tunnel between the client and the Web server, so
that no-one can crack the communications for the connection.
Figure 1: Networking stack with SSL integration
There are several different versions of SSL, from 1.0 to 3.0 , with 3.1 it changed its named to TLS (Transport Layer Socket), and SSL 3.1 is also known at TLS 1.0. Most systems now use TLS 1.1 or 1.2, and which are free of flaws which compromised previous versions. SSL (as illustrated in Figure 2) works by the client telling the server which type of encryption it would like to use (such as RC4) and the other cipher parameters it can support. The server replies back with its preferred cipher scheme, along with its digital certificate. This digital certificate contains its public key, and the proof of its identity. The client then creates a new session key for the encrypted tunnel, and then encrypts this with the public key provided by the server. It then sends this to the server, where the server decrypts it, and thus has the same encryption key as the client. After this, the client and server can communicate with the session key (and the chosen encryption method) – thus creating a tunnel between themselves. This tunnel should be almost impossible to crack, as it uses a session key, which would take a long time to crack through brute force.Figure 2: Outline of SSL tunnelling
Within SSL, most servers will cope with previous versions of the protocol, and will downgrade from TLS 1.0 to SSLv3 if the handshake between the client and the server fails. The intruder will thus refuse a TLS 1.0 version, and go for an SSLv3 method, where they will be able to decipher the communciations. In the following example, we force the connection to the Google Web site to use an SSLv3 connection (with the -ssl3 option):-- Listing appears on the main article
The flaw is not a Heartbleed-type issue, where caused major compromises across the Internet. Overall it is basically highlighting a previously defined flaw. A more pressing issue with SSL/TLS are Man-in-the-Middle attacks which are still possible, and where an intruder can get in-between the client and the server (using a proxy connection). The fix for POODLE is simply for administrators to disable SSLv3 on their Web sites, in order to avoid the downgrade of the secure connection.