Security

Vulnerability in the design of SSL version 3.0 | Storm Internet

3 May 2016

By fishtank

- 5 mins read

What is the security problem with SSL 3.0? What is its impact? And how can you turn it off?

SSL/TLS

SSL (server sockets layer) is the process that a browser and web server use to encrypt traffic between the two. There are different versions of SSL. After version 3.0 the committee that writes the definition of that started calling it TLS (transport layer security), but most people still call it SSL. SSL version 3.0 has a security problem so severe that websites are not supposed to use that. The problem is some still do. Or to be more correct they let a web browser request SSL 3.0 even when the web browser supports something newer.

The issue was discovered in 2014. If websites were to just cut off SSL 3.0 people using any Internet Explorer browser older than version 8 would not be able to connect. Instead what the web servers have done is to allow SSL 3.0 but support the newer versions too.

Cookies

The problem with SSL 3.0 is that a hacker can exploit a weakness that will let them read your cookies. That is a problem because the cookies in your browser contain information like your email, userid, session id, bank account number, and so forth.

You can see an example of that in the graphic below. This is the Cookie Manager browser plugin for Firefox. As you can see, in Gmail the cookie with the name OSID has a value that is just a random string of letters. It tells Google something about who you are. If a hacker were able to decrypt that then they could read data about your email. (We don’t know exactly what that means as Google keeps it a secret what OSID stores.)

SSL

When you go to a website like https://gmail.com, the “s” in the address causes the web server to start encrypted communications between your browser and the web server using SSL. It does this by issuing a back and forth handshake to verify your identity. This authentication is to prevent a hacker from spying on or taking over your traffic by using what is called a man-in-the-middle attack. Once it has done that authentication it issues encryption keys as does your browser. Then it uses those to encrypt and decrypt traffic going back and forth.

The POODLE Attack

A hacker can attack this traffic under SSL 3.0 using the man-in-the-middle approach with a hack given the cute name of Poodle, which stands for “Padding Oracle On Downgraded Legacy Encryption.” This works even when using a new browser, which supports SSL > 3.0, like TLS 1.0, because the hacker requests the web server to downgrade the traffic to SSL 3.0. That works because, as we said above, web sites want to be backwards compatible with old browsers.

So, the hacker gets between you and the web server by using a network traffic sniffer tool or malware. They read your traffic and rewrite it. The web server is supposed to know that the traffic has been tampered with. But in this case it does not. Then the hacker decrypts your cookies.

Basically the hack works by attacking the RC4 and CBC encryption algorithms. They use what is called the BEAST attack to rewrite the SSL data packets. That replaces your traffic with made up traffic in a way such that the algorithm reveals 1 byte (i.e., 1 character) of what your real, untampered traffic was. Having figured out 1 byte they repeat the process again until they find the next one and so forth. It takes on average 256 guesses before the hacker finds the correct value for the byte. All of this would not be possible if a web server would not allow all this repeated guessing without shutting off the traffic. But SSL does not work that way.

What is the Impact?

Because TLS is so old (released in 1999) almost no servers use anything older than TLS 1.0 now. TLS 1.0 is the first release after SSL 3.0.

To measure how widespread the problem is today, we would have to know how both (1) how many web browsers are still allowing the downgrade to SSL 3.0 and (2) how many web browsers allow that too.

You can check your own browser against any web server you visit by clicking on the SSL icon in the address bar. As you can see below this connection to The Washington Post is using TLS 1.2.

How to Disable SSL 3

Here are some instructions for how to disable SSL fallback in different browsers for different operating systems so that you do not get attacked this way. Technically what that does is the browser transmits a message called TLS_FALLBACK_SCSV to stop the web server from downgrading SSL traffic.

How is this related to Storm Internet?

At Storm Internet we have upgraded our servers to support TLS_FALLBACK_SCSV which blocks SSL 3.0.

For our customer portal, you can see that we use TLS 1.0.

For our customers who have installed their own web servers they would need to verify that. For example, in Apache you edit the SSLProtocol line in your config file to replace this:

SSLProtocol all -SSLv2 -SSLv3

With:

SSLProtocol -All +TLSv1

Then a few people using old browsers will not be able to access your site. But that number is small and grows smaller every year. Here is a graphic from Redmond Magazine showing how many people around the world are using different operating systems as of 2015. On XP the user needs IT version 8, which is the last version of IE supported on Windows XP. (Windows XP e is common in developing countries around the world. So if you have lots of visitors from 3rd world countries you might check first to see what browser they use. Google Analytics will tell you that.)