In late
2014 an attack came to the attention of the security world known as the POODLE
(Padding Oracle On Downgraded Legacy Encryption) attack. This attack showed the
vulnerabilities introduced by using legacy protocols with weak encryption.
POODLE was
designed to take advantage of browser communications that use SSL 3.0 to
provide encryption and authentication services. In practice, SSL has been
superseded by Transport Layer Security (TLS) as a means to provide secure data
transmission over the Internet. The situation that allows this attack to take
place occurs when a browser doesn’t support TLS but does support SSL 3.0. When
the browser encounters a situation where TLS is not an option, it reverts to
SSL 3.0 as its encryption option. An attacker noticing this situation can
insert themselves into the communication session and force the browser to use
SSL 3.0 instead.
If an
attacker is able to successfully exploit this situation, they can then exploit
a design defect in the SSL 3.0 technology to carry the attack further. The
defect allows an attacker to alter the padding at the end of each block and
thus make it less secure. If this attack continues, the attacker can eventually
gain access to resources and data they should not be able to have.
In order to
prevent this attack, the browser and servers should be configured in such a way
as to prevent the use of SSL 3.0.
0 Comments