What is “POODLE”?
POODLE is an acronym for a newly discovered vulnerability in a specific version of the SSL protocol. POODLE requires an “active” attacker, meaning there must be another ‘bad’ computer intercepting messages between the client and server. Ultimately, the vulnerability allows the attacker to decode messages encrypted with SSL v3.0 (the specific, and only, version of the protocol affected).
SSL v3.0 is an old version of the SSL protocol, a very old version – from the late 90s. However, almost all servers on the Internet still accept connections using it. Luckily, there is a straightforward way to protect yourself from this attack (see “As An SSL Provider, What Should I Do?” section below). The attack also is fairly complex to perform, because of its reliance on being an “active” attack which affects the client. There are also no known attacks using the POODLE vulnerability (yet). For this reason, it is much less serious than the Heartbleed vulnerability from earlier this year. Security expert Robert Graham said, “If Hearbleed/Shellshock merited a 10, then this attack is only around a 5.”1
However, this does not mean that POODLE should be ignored, because all servers or clients running SSL v3.0 are vulnerable. (See section, “Who is Affected?” for specific details on this and threat analysis).
Please note that (luckily) this is a flaw in an outdated version of the SSL protocol itself, so no changes to any existing certificates themselves are needed. This vulnerability is the result of some bad math back when this version of the protocol was created back in the late 90s.
Solutions to this vulnerability are most effectively implemented at the server level (even though the attack is on the client, its reliant on the server allowing a connection using SSL v3.0 to occur), so education and awareness of the issue is the best way to mitigate the effects of the POODLE vulnerability.
How does the Attack Work?
The POODLE vulnerability can be implemented by an attacker who has control or influence over the network connection between the client and the server – often called a “Man in the Middle Attack” (MITM).4
An attack using POODLE begins with a “downgrade attack” to repeatedly cause the client’s connection to the server to fail. This causes the server to allow an encrypted connection with older versions of the protocol, because it believes a lack of modern protocol support is the cause. This downgrading continues to occur until the connection is downgraded all the way to SSL v3.0, at which point the POODLE attack can be used.5
This downgrade attack works because, while almost every server supports a newer version of the SSL protocol which are not affected, they ALSO support SSL v3.0 in order to avoid any incompatibility issues with older (“legacy”) clients. After forcing stronger clients to downgrade to SSL v3.0, they can use a flaw in the protocol to figure out the encryption key for an SSL connection, and read the contents as if they were unencrypted.
If you would like to know more about how the attack works, Google provides some excellent information in their paper which announced the discovery: “This POODLE Bites: Exploiting The SSL 3.0 Fallback.”6
Who is Affected?
Any browser or server which supports SSL 3.0 can be victim to POODLE. Critically, “any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS.”7 This means that sites trying to provide backwards compatibility for older clients are at risk. For this reason, supporting SSL v3.0 at all can make a server or client vulnerable.
SSL Pulse is a website that collects monthly demographic statistics of SSL support of the 150,000 most popular websites.8 SSL Pulse’s most recent scan, conducted before the disclosure of the POODLE vulnerability, found that 98% of these sites still have SSL v3.0 support, potentially putting them at risk of a POODLE attack. Extrapolating from this, it can be assumed most servers on the Internet still include support for the decrepit SSL v3.0.
However, there is very little client traffic still using SSL v3.0 to justify support of this deprecated and flawed protocol version. The most notable software affected by this attack is Internet Explorer 6 on Windows XP versions WITHOUT Service Pack 3.
Support for this flawed protocol version should not be kept for users still on IE6. On Cloudflare, a major provider of DDoS protection, only 0.65% of their received SSL traffic uses (not relies on) SSL v3.0, and 98% of their Windows XP traffic is properly patched to Service Pack 3 which enables TLS 1.0 (the next version of the SSL protocol after SSL v3.0).9 Mozilla similarly estimates only 0.3% of traffic actually uses SSL v3.0, yet around 98% of servers allow it! The number of clients still needing SSL v3.0 simply does not justify keeping it on.
As an SSL provider, what should I do?
The SSL Store’s recommendation is to totally disable support for SSL v3.0. This should be disabled on your servers and communicated to your customers. There are solutions to the POODLE attack, mainly the new protocol mechanism “TLS_FALLBACK_SCSV.”10 However, this mechanism relies on server and browser compatibility, which introduces too much uncertainty to its effectiveness. TLS FALLBACK also does not fix the issue for devices that ONLY have SSL v3.0 support, leaving the biggest vulnerable software – IE6, still exposed.
So, to be totally safe from POODLE, and other discovered and undiscovered flaws in SSL v3.0, its best to disable support for it altogether at the server side. This falls in line with what is recommended by Google, Mozilla, Cloudflare11, and other major technology companies.
On the client side, Firefox will be disabling SSL v3.0 by default in Firefox 34, which is to be released on Nov 25th. Google will also be removing SSL v3.0 support in client devices, including Chrome, “in [the] coming months.”12 With this pressure on the client-side removing SSL v3.0 support, the tiny number of client’s using SSL v3.0 should tumble even further.
(Also note, if you recently switched to SHA2 certificates, as the SSL industry is encouraging and requiring, you have downgraded the user experience for sluggish clients still on IE6 with Windows XP pre-Service Pack 3. So disabling SSL v3.0 will be the nail in the coffin for them – thats a good thing.)
Does this mean SSL is insecure?
No. SSL, or more accurately, TLS, is fine. While most people use the word “SSL” still, the proper technical term for the encryption protocol we use today is TLS. This stands for Transport Layer Security and has been the official name of the SSL protocol since 1999. The newest version of the TLS protocol, Version 1.2, was released in 2008 and is four versions senior of SSL 3.0. All ‘modern’ browsers and computers, and smartphones should have support for some version of TLS, and the majority of SSL connections are using TLS. TLS 1.0 and 1.1 are not perfect, but they are much improved over SSL v3.0 and are considered suitable by security experts.
SSL v3.0 is over 15 years old! So it’s only reasonable for it to be abandoned at this point.
How Do I Disable SSL v3.0 on my Server?
This depends on the type of server you are operating.
For Apache Tomcat: https://bz.apache.org/bugzilla/show_bug.cgi?id=54691
For Apache, Nginx, and IIS: https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
For Lighttpd: https://cipherli.st/
If you do not want to drop SSL v3.0 support, you can implement TLS_FALLBACK_SCSV on OpenSSL. However this should just be a stopgap solution and replacements for devices requiring SSL v3.0 should be actively pursued. https://www.openssl.org/news/secadv_20141015.txt
Quayls’ well-known SSL configuration checker tool has been updated to test for POODLE. You can input your websites URL to have it test for POODLE vulnerability: https://www.ssllabs.com/ssltest/
In addition to the citations on this resource, please see:
For technical details on how the vulnerability works, see Google’s original paper: https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
For the single best understanding of POODLE and what it means as a Internet user concerned with security, or a server operator, see Robert Graham’s notes on POODLE at his personal website: https://blog.erratasec.com/2014/10/some-poodle-notes.html
Microsoft’s Security Advisory on POODLE: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3009008