What is it?

Secure Sockets Layer (SSL), and the more modern Transport Layer Security (TLS) are encryption/decryption techniques used by computers when transferring data; https (“hypertext transfer protocol secure”) web sites use this technology. There are several algorithms that can be used to do the de/encryption. When a client computer contacts a server computer, they negotiate which algorithm to use. SSL/TLS both use port 443.

Padding Oracle On Downgraded Legacy Encryption (POODLE) is an attack that tricks a server into using the less secure “legacy” encryption algorithm (SSL3) so that the traffic can be more easily decrypted by the attacker. The original Google blog post, “This Poodle Bites” (linked below) explains the attack in more detail.

Why is it a risk?

An attacker who can decrypt traffic travelling through a device can create a man-in-the-middle attack to either eavesdrop on communications (think banking information) or alter communications (think virus infection).

A man-in-the-middle attack is one where an attacker takes control of an intermediary device (like a router) and accesses the communications passing through it.

WiFi routers are especially attractive to attackers.

The OpenSSL vulnerabilities link below lists all known SSL vulnerabilities since 2002, their description and their severity.

How can you mitigate the risk?

To mitigate this kind of attack you must disable SSL on your equipment, only allowing the more secure TLS.

The digi77 link below provides links to tests for BEAST, HEARTBLEED, POODLE, DROWN and FREAK (client browser SSL) which you can use to determine if your server or client is vulnerable.

OpenSSL, link below, strongly recommends that you upgrade your server to version 1.1.1j if possible. If your system must be compliant with Federal Information Processing Standards (FIPS), then you should update to version 1.0.2 and follow additional configuration.

Resources:

Google Security Blog – This Poodle Bites
https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

OpenSSL vulnerabilities
https://www.openssl.org/news/vulnerabilities.html

digi77 SSL/TLS grade A
https://www.digi77.com/mitigating-the-beas-theartbleed-poodle-attack-attack-on-ssl-tls-grade-a/

OpenSSL Downloads
https://www.openssl.org/source/

Share →