Google's Security Team revealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw.
According to the team's Bodo Möller: "This vulnerability allows the plaintext of secure connections to be calculated by a network attacker."
While SSL 3.0 has been succeeded by Transport Layer Security (TLS) 1.0, TLS 1.1, and TLS 1.2, many TLS implementations have continued to be backwards compatible with SSL 3.0 to work with legacy systems for a smoother user experience.
Usually, the security protocol handshake provides for authenticated version negotiation. This way the latest protocol version common to both the client and the server will be used.
But, and this is where the trouble gets it chance to cause havoc, "If a client and server both support a version of TLS, the security level offered by SSL 3.0 is still relevant since many clients implement a protocol downgrade dance to work around serve side interoperability bugs."
In an example attack called Padding Oracle On Downgraded Legacy Encryption (POODLE), an attacker can steal "secure" HTTP cookies or other bearer tokens such as HTTP Authorization header contents. The root security hole is that SSL 3.0 RC4 encryption is broken.
POODLE has now shown there's a way to exploit this weakness on today's Web. It works, Möller explained, by using a well-known man-in-the-middle attack style.
The POODLE's bite requires an SSL 3.0 connection to be established. So, if you disable SSL 3.0 on either client program, typically a Web browser, client or in the server you can avoid the attack. If, however, SSL 3.0 is the only "encryption" protocol they have in common, then as Möller said, "all hope is gone, and a serious update is required to avoid insecure encryption."
So what can you do about this?
You should disable SSL 3.0 support, or at the least, turn off cipher block chaining (CBC). Unfortunately even now that can presents serious compatibility problems with older Web browsers and servers.
Google's suggestion is to support TLS_FALLBACK_SCSV on your Web or SSH servers. This prevents the server from allowing failed connections retries. This, in turn, prevents browsers from defaulting to SSL 3 when they're unable to connect with an up-to-date protocol.
"Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly. In the coming months, we hope to remove support for SSL 3.0 completely from our client products."
At this time, the only browser in common use that supports only SSL 3.0, to my knowledge, is Internet Explorer (IE) 6. Others, however, still support SSL 3.0 as an option. So, if you were to use your browser on a predatory Website set up with a POODLE style attack they could still be tricked into using SSL 3.0 and thus be opened to an assault.
To prevent POODLE attacks on Firefox, open about:config, search for "security.enable," and set "security.enable_ssl3" to false.
To stop them on IE, go to the tools menu, click Internet Options and head to the Advanced tab. Under that look for the Security heading, and make sure that the SSL 3.0 check box is unchecked.
If you're running a Web server, check with your upstream code provider in the case of open-source programs such as Apache and Nginx or your vendor, as in the case of Microsoft's Internet Information Server (IIS) for how to turn SSL 3.0 support off.