Poodle

from Wikipedia, the free encyclopedia

Poodle (short for English Padding Oracle On Downgraded Legacy Encryption ) is a serious vulnerability in various Internet protocols, making an encrypted form of private data of clients and servers can be read.

The vulnerabilities are described in CVE-2014-3566 and CVE-2014-8730.

description

The protocol SSL 3.0 ( RFC 6101 ) developed by Netscape was replaced by TLS 1.0 ( RFC 2246 ) in 1999 and later by TLS 1.1 ( RFC 4346 ), TLS 1.2 ( RFC 5246 ) and TLS 1.3 ( RFC 8446 ). Current web browsers have deactivated SSL and display a warning for TLS 1.0 and TLS 1.1. With old software or incorrect configuration, attackers can reject connections with TLS in order to force connections with SSL 3.0 (English: Protocol Downgrade Attack or SSL 3.0 fallback ).

The poodle attack abuses the padding process (from the English “to pad”, “to fill up”). This is understood to be filler data with which one enlarges a database. With symmetrical block ciphers, padding is used to adapt a plain text to a fixed block length. The Cipher Block Chaining Mode (CBC) requires plain text as input, the length of which is a multiple of the block length. Before a plaintext block is encrypted , it is linked to the ciphertext block generated in the previous step using XOR (exclusive or).

With JavaScript code in any website loaded in the browser, an attacker can decipher encrypted transmitted data (e.g. HTTP session cookies ) by sending these modified byte for byte to the server. Both the insertion of the malicious JavaScript code and the interception of the encrypted data can be carried out by a man-in-the-middle attack .

The vulnerability had been applicable since 1999 - the year TLS 1.0 was introduced.

Countermeasures

Since man-in-the-middle attacks endanger various Internet services, it is necessary to switch off SSL version 3.0 on all servers and in all client applications. If this is not possible for reasons of compatibility, the discoverers of the security vulnerability recommend supporting the cipher suite TLS_FALLBACK_SCSV. This prevents the forcing of SSL 3.0 connections. At the same time, a relapse from TLS 1.2 or TLS 1.3 to a TLS 1.1 or TLS 1.0 connection is prevented.

Some TLS implementations also accept arbitrary padding bytes. This is allowed according to the TLS specification, since checking the padding bytes is optional. Only procedures that use AES in Galois / Counter mode (GCM) are therefore considered secure (from TLS 1.2).

Web browser

  • Mozilla Firefox from version 34 ( Oct 2014 ) deactivates SSL 3.0. In older Firefox versions (as well as in Mozilla Thunderbird and SeaMonkey ) about:configthe setting must be set security.tls.version.minto the value "1".
  • In Google Chrome and Chromium , SSL 3.0 is -ssl-version-min=tls1switched off manually on the command line with the parameter . From version 40 ( Jan 2015 ), Chrome can be operated securely without entering this parameter.
  • In Internet Explorer , under “Internet Options” → “Advanced” → “Security”, the checkmark for “Use SSL 3” must be removed. With the Internet Explorer 6 browser supplied with Windows XP, the successor protocol TLS 1.0 must be activated at the same point.

Web links

Individual evidence

  1. CVE-2014-3566 detail ( English ) NIST. Retrieved September 21, 2019.
  2. CVE-2014-8730 detail ( English ) NIST. Retrieved September 21, 2019.
  3. Christopher Wood: Deprecation of Legacy TLS 1.0 and 1.1 Versions. In: WebKit. October 15, 2018, accessed August 18, 2020 .
  4. Martin Thomson: Removing Old Versions of TLS. Retrieved August 18, 2020 (American English).
  5. TLS 1.0 and TLS 1.1 - Chrome Platform Status. Retrieved August 18, 2020 .
  6. Bodo Möller: This POODLE bites. exploiting the SSL 3.0 fallback. October 14, 2014, accessed November 13, 2014 .