Changing of the Guard

Once-formidable SSL 3.0 encryption protocol is showing its age as security flaws are exposed.

ssl-webIn 1996, Janet Jackson became the highest-paid musician of all time, Beanie Babies were “must-have” Christmas presents, AOL ruled the Internet and the Macarena was the most popular dance in the world.

Things change.

Version 3.0 of the Secure Sockets Layer (SSL) protocol became an indispensable element of network security when it was released back in ’96 to protect data being sent across the Internet by providing encryption and authentication between servers and applications. Compared to other developments of the day, it has had spectacular longevity — it’s still supported by as much as 98 percent of the world’s most popular web sites, by some accounts.

It’s had a good run, but just like the “Rachel” haircut and Hootie and the Blowfish, SSL 3.0 is past its prime.

Several recently uncovered flaws have essentially made the protocol too vulnerable to be of any practical value. The POODLE, FREAK and Logjam attacks all are designed to exploit SSL 3.0 vulnerabilities through “man-in-the-middle” attacks that will force security downgrades and make encrypted information easier to crack. The Google researchers who uncovered the POODLE attack say SSL 3.0 is “an obsolete and insecure protocol.”

The ‘Downgrade Dance’

SSL 3.0 actually was replaced with an improved protocol — Transport Layer Security (TLS) version 1.0 — back in 2011. TLS 1.0 was based upon SSL 3.0 and is considered only marginally more secure. Versions 1.1 and 1.2 of TLS are significantly more secure and fix many of the vulnerabilities in SSL 3.0 and TLS 1.0. In April 2014, the National Institute of Standards and Technology (NIST) issued guidelines recommending that government agencies use TLS 1.1 and 1.2.

However, most TLS implementations include provisions for backward compatibility with SSL 3.0 to interoperate with legacy systems and ensure a smooth user experience. A protocol “handshake” process negotiates the latest protocol version common to both the client (browser) and the server (website), and then implements that version for authentication.

A team of Google researchers announced last fall that they had uncovered a significant flaw they termed POODLE, which stands for “Padding Oracle on Downgraded Legacy Encryption.” In a POODLE attack, the attacker interferes with the protocol handshake process and forces browsers and websites to accept SSL 3.0. In a process Google calls the “protocol downgrade dance,” the attacker simply interrupts secure connections, forcing the browser to retry with the next-lower protocol. Once the downgrade process has moved through all versions of TLS to SSL 3.0, the attacker can exploit known vulnerabilities to decrypt secure HTTP cookies, which could let them steal information or take control of the victim’s online accounts.

Freak Show

FREAK is another man-in-the-middle attack designed to force a downgrade in security measures. The flaw, which stands for “Factoring RSA Export Keys,” was announced in March by a group of cryptographers who discovered a weakness in the SSL/TLS protocols that had actually been introduced on purpose decades earlier for compliance with U.S. security regulations.

This flaw allows an attacker to force secure connections to a lower level of encryption — 512 bit — which can be read and attacked with relative ease. It is an artifact of 1990s U.S. security policy requiring software being exported out of the country to be limited to “export-grade” encryption with key pairs of 512 bits or less. The idea was to make it easier for the U.S. to break the codes of any foreign adversaries.

“The 512-bit export grade encryption was a compromise between dumb and dumber,” cryptographer Matthew Green of Johns Hopkins University wrote in a blog post explaining the vulnerability. “In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use.”

The group that uncovered the flaw discovered that support for this weaker “export-grade” encryption was still baked in to numerous Web servers, browsers and other SSL implementations. The bug affects SSL/TLS servers and clients, and Microsoft, Google, Apple and Mozilla all have patches in the works.

Shutting It Down

In May, a second group of cryptographers announced they’d found another flaw based on cryptographic export restrictions. Unlike a FREAK attack, which tricks both ends of a conversation into accepting downgraded security, a Logjam attack exploits a vulnerability in the key exchange to make both believe they are running stronger keys than they actually are. The middleman in the attack can then eavesdrop or actually insert data into the communication path.

In response to this rash of flaws, Microsoft, Apple, Google and Mozilla have all issued patches for these vulnerabilities and are working to make their browsers more secure. Mozilla disabled SSL 3.0 in Firefox 34, as did Google with Chrome 40 and Microsoft with Internet Explorer 11. Apple has not gone that far yet, but it did block Safari’s use of vulnerable cryptographic ciphers and has stopped using SSL 3.0 for its push notifications service.

In the long run, organizations likely will work to reconfigure web servers to address the SSL issue at its root. In the meantime, security experts say organizations and users should take a proactive approach to the vulnerability by updating to the latest version of their chosen web browser, or turn off support for SSL 3.0. A comprehensive guide for turning off SSL support in a variety of browsers is located at https://zmap.io/sslv3/browsers.html.

When it was introduced, SSL 3.0 represented a quantum leap in Internet security, and it was the de facto standard for cryptography for the better part of two decades. By providing an authentication process that ensured data confidentiality and integrity, it allowed millions of websites to protect online transactions with customers. However, POODLE and other exploits have now exposed critical flaws in the protocol, and there’s no room for nostalgia in data security.