December 10, 2014

POODLE comes back (TLS v1.x impacted)

About two months ago Bodo Möller from Google Security Team (together with Thai Duong and Krzysztof Kotowicz) discovered a vulnerability in SSL - POODLE (Padding Oracle On Downgraded Legacy Encryption) allowed attackers to perform Man-in-the-Middle (MitM) attack in order to intercept traffic between a user’s browser and an HTTPS website to decrypt sensitive information, like the user’s authentication cookies.

Two days ago, SSL-guru from Google - Adam Langley discovered new vulnerability CVE-2014-8730 in TLS v1.x, some implementations of which fail to verify padding structure after decryption in CBC mode.

The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute–no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine. The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack. A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical.

According to the most recent SSL Pulse scan (which hasn’t been published yet), about 10% of the servers are vulnerable to the POODLE attack against TLS.

Adam Langley mentioned in his blog – “everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken”.

Ivan Ristić added a new test to the SSLLabs SSL-scanner.