Wednesday, October 15, 2014


Daniel Fox Franke (via Hacker News):

This post is meant to be a “simple as possible, but no simpler” explanation of POODLE. I’ve tried to make it accessible to as many readers as possible and yet still go into full and accurate technical detail and provide complete citations. However, as the title implies, I have a second goal, which is to explain not merely how POODLE works, but the historical mistakes which allow it to work: mistakes that are still with us even though we’ve known better for over a decade.


The problem stems from browser vendors’ desire to be able to cope with buggy servers and middleboxes which advertise a protocol version that they can’t actually support. To work around such broken behavior, when an SSL handshake fails most browsers (all but Opera[5]) will fall back to an earlier protocol version and retry. This browser behavior, called the “downgrade dance”, makes it trivially vulnerable to downgrade attacks.


This is the basis of the Vaudenay padding-oracle attack. An attacker who can get the server to reveal whether a ciphertext decrypts to something with valid padding or not, can then guess the contents of any block of plaintext one character at a time, and get confirmation when the guess is correct.


Vaudenay also originally believed that the fact that TLS treats all padding errors as fatal, shutting the connection and discarding the session key, meant that the full attack wasn’t possible: that the attacker got to take one guess at one byte and nothing more. POODLE, using ideas already foreshadowed by BEAST, shows that in the browser context, this isn’t necessarily so.


Within the confines of SSL v3.0, POODLE cannot be fixed. However, the downgrade dance which enables it can be.


Now, though, I am going to step onto my soapbox and say: disabling SSL v3.0 does not go far enough. It is time to aggressively deprecate as many old versions of TLS as possible.

Matthew Green:

The rough summary of POODLE is this: it allows a clever attacker who can (a) control the Internet connection between your browser and the server, and (b) run some code (e.g., script) in your browser to potentially decrypt authentication cookies for sites such as Google, Yahoo and your bank. This is obviously not a good thing, and unfortunately the attack is more practical than you might think. You should probably disable SSLv3 everywhere you can. Sadly, that’s not so easy for the average end user.

Update (2014-10-15): Poodlebleed:

The below form can be used to test if your server is running with SSL 3.0 enabled. Although disabling SSL 3.0 may cause failed connections to your ssl service for small portion of users running older browsers, this action prevents the large portion of modern browsers from being eavesdropped while attempting to access your services in a secure manner.

Update (2014-10-19): Glenn Fleischman:

Poodle may finally put IE6 to death, because IE6 can’t use modern web security protocols. […] Despite the introduction of TLS in 1999 and the fact that the last version of SSL (SSLv3) was released in 1996, web servers generally have continued to support SSLv3 to this day because it’s the latest version that IE6 supports.

Comments RSS · Twitter

Leave a Comment