After the POODLE vulnerability was publicized, can MITM attacks now see https traffic? Previously only http websites showed info when sniffed, but now, what about https websites?
-
2POODLE was announced **more than five years ago**, and nearly all implementations dropped SSL3 within two years at most, so 'now' essentially no traffic is subject to it. For sites handling payment cards, which is nearly all retail or B2C, it has been prohibited almost four years. And even when it worked POODLE was MitM (active) but not 'sniffing' (passive). There are dozens of Qs on many Stacks from years ago explaining and discussing this. – dave_thompson_085 Feb 19 '20 at 03:20
2 Answers
Short version: No. While POODLE can be used with MitM to decrypt some HTTPS traffic in specific scenarios, it requires special effort / software (not just Wireshark) and is not going to be usable against up-to-date HTTPS (or any other kind of TLS traffic).
POODLE (Padding Oracle On Downgraded Legacy Encryption) is an attack that can leak data from certain encrypted connections. As with most SSL/TLS attacks, it requires a large number of requests sending the same data; the attacker can generally only decrypt one byte at a time from a specific message that the client (or server) sends repeatedly.
Conditions required for POODLE attacks:
- Victim is using a block cipher (this is common) in CBC mode (this used to be common but is getting less so).
- Counter-based block cipher modes (such as the popular Galois/Counter Mode "GCM") are not vulnerable.
- Stream ciphers are not vulnerable to POODLE in particular, although they may have their own vulnerabilities (the old RC4 cipher, once popular in SSL, has its own weaknesses and is disabled in all modern clients and servers).
- Victim is using SSL protocol version 3.0, or using TLS 1.0 with a lazy implementation which doesn't validate the padding correctly.
- The entire SSL protocol including version 3.0 is long deprecated. TLS 1.0 is also now deprecated, and the specific vulnerable implementations were patched years ago.
- The "Downgraded Legacy Encryption" part refers to tricking the client and server into each thinking the other only supports old protocols; this doesn't work if they either already know that the other supports newer protocols, or if they just refuse to ever use the old and insecure ones.
- Victim is either constantly sending the same message, or can be forced (by the attacker) into doing so.
- This is often the case with web browsers (if the attacker controls content running in the victim's browser, such as from the user visiting an unsecured web page) but not so much with other HTTPS clients and quite rare with SSL/TLS connections used for anything other than HTTPS.
- Attacker has an active man-in-the-middle (MitM) position between the victim client and server, with the ability intercept and modify traffic in real time.
- Attacker has the time to force the victim to send hundreds of messages for every byte the attacker wants to decrypt.
- Mind you, the attacker usually only bothers stealing a small amount of data, such as a session token from a cookie, so this isn't as many requests as you might think.
You definitely cannot just fire up Wireshark and watch TLS (or even SSL) data get decrypted in real time using POODLE. You can't even decrypt the traffic (using POODLE) from a bunch of passive captures; the attacker needs to actively tamper with each message before letting the server see it. In the right scenario, an attacker can decrypt SSL (or, rarely, TLS) traffic using POODLE, but it requires tools specially written for that purpose, and it requires both the client and the server to support using outdated protocol versions.
- 42,359
- 3
- 76
- 107
The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack affects any connection which uses SSL 3.0 as its encryption standard, along with CBC (Cipher Block Chaining). SSL 3.0 is an old standard and is replaced by TLS now, the problem stems from the fact that most SSL/TLS implementations remain backward compatible, to help with legacy systems. A malicious attacker can then force the secure connection to fail and fall back to SSL 3.0, which he can then attempt to attack.
SSL 3.0 uses either a block cipher in CBC mode or the RC4 stream cipher. The latter has an RC4 bias because of which if the same sensitive data is sent over multiple connections, information regarding the data is leaked. Though this will require the victim's browser to send hundreds of connections (It needs to make 256 SSL 3.0 requests to reveal one byte of encrypted messages, Wiki). Thus, to make these hundreds of connections, the attacker mounts a MITM attack.
So YES, They can sniff data even though you are using HTTPS!
An interesting point here is that Internet Explorer 6 does not offer support beyond SSL 3.0! So websites had to offer support for SSL 3.0 when IE 6 was initially released.
Ways to prevent this attack from happening?
- Disable the use of SSL 3.0
- Use TLS_FALLBACK_SCSV, You can read more about this here
- 73
- 6
-
Why are you bringing up RC4 in an answer about POODLE? Your edited answer still makes it seem like they are related. – schroeder Feb 19 '20 at 07:36