Category: CommunityReturn Of POODLE: This Time It’s TLS

Share this post...Tweet about this on TwitterShare on Google+0Share on Facebook0

POODLE Returns TLSIt’s recently been discovered that a variant of the POODLE attack, which has the potential to allow attackers to decrypt the content of HTTPS connections, can be carried out against sites using some implementations of the TLS protocol. It was previously believed that POODLE was only effective against SSL 3.0, an outdated version of the encryption protocol. It appears that around 10 percent of the most trafficked sites on the web are vulnerable to POODLE-type attacks, including some banks.

POODLE is a relatively complex attack that uses flaws in how SSL 3.0 (and now some TLS) implementations handle data padding to read byte-by-byte the contents of encrypted payloads. A successful attack depends on injecting JavaScript code into the victim’s browser and running thousands of transactions to discover the content of the data traveling over the connection. Needless to say, this isn’t very easy, and in a previous article I commented that, in real life scenarios, there were probably easier ways to achieve the same thing.

But the new POODLE is little easier to implement than the old POODLE. In addition to the padding attack, because the original POODLE vulnerability focused on an old version of SSL, the attacker had to “trick” browsers into downgrading the connection from the more secure TLS versions to the insecure SSL 3.0. Most browsers have now removed this chink in the armor and made it impossible to downgrade to SSL 3.0. The discovery that some TLS implementations are vulnerable relieves hackers of the need to force the browser to downgrade, making the attack slightly easier.

According to Qualsys, which runs the SSL Pulse project that monitors SSL encrypted sites from the Alexa top 1 million visited sites, about 10 percent of sites are vulnerable because they are using implementations of TLS with the padding vulnerability.

Should You Be Worried

Not overly. As I mentioned in my previous article on this subject: the attack is difficult to carry out. It’s certainly a bad thing that TLS is vulnerable in some implementations, and another vulnerability is the last thing the reputation of purportedly secure online services needs, but as vulnerabilities go, this one is not disastrous.

That said, it is a vulnerability and it can be used to circumvent HTTPS encryption in some scenarios as Qualsys Director Of Application Security Research, Ivan Ristic says:

“The main targets are browsers, because the attacker must inject malicious JavaScript to initiate the attack. A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical.”

If you’re worried about whether services you use are vulnerable, Qualsys provides a server test that can be used to scan domains for SSL vulnerabilities, including POODLE.

As ever, the way to ensure that your sites are not vulnerable is to install the patches that will probably have already been released by the time this article is published.

Image: Flickr/JoF

POODLESecurityServersSSLSystem AdministrationTLS
Dec 12, 2014, 1:24 pmBy: Corey Northcutt (0) Comments

Leave a Reply
Surround code blocks with <pre>code</pre>

Your email address will not be published.


Sign up to receive periodic InterWorx news, updates and promos!

New Comments

Current Poll

  • This field is for validation purposes and should be left unchanged.