What is a POODLE attack?

How does a POODLE attack work?

In a POODLE (Padding Oracle on Downgraded Legacy Encryption) attack, the attacker will intercept the connection between your browser and a web server. They will then force your browser to downgrade the server's security protocol to SSL 3.0 from TLS 1.0 to steal your confidential information.

Specifically, the attacker exploits a vulnerability in the SSL (3.0) protocol that is still supported on older browsers and web servers. TLS (1.0) replaced SSL in 1999 due to security flaws. TLS (1.3) is now the industry standard.

What is a protocol? Protocols like SSL, or Secure Sockets Layer, authenticate and encrypt communication between your browser and web servers – to make sure your data isn’t eavesdropped on. For example, SSL will make sure that google.com really is google.com and verify that any data from google.com really came from there.

1. In the first stage of a POODLE attack, the attacker performs a man-in-the-middle attack (MITM). And with your help, it also convinces your browser into running JavaScript, through a social engineering attack.

You’re also more at risk here if you’re connected to unsecured public Wi-Fi. Since you and the attacker both need to be connected to the same network, these Wi-Fi hotspots and their lack of encryption make it easier for attackers to intercept the connection.

2. Next, the attacker convinces the web server to use the old SSL 3.0 protocol. The attacker does this by repeatedly dropping connections. These dropped connections confuse the server into thinking that you can’t support newer protocols like TLS 1.2, so it falls back to an older one like SSL 3.0. This action is called a “protocol downgrade attack” or a “downgrade dance.”
3. Now that all of your communication between the website and the web server is using the weaker SSL 3.0 protocol, the attacker unleashes the POODLE attack to decrypt parts of your communication and steal your private information.

(What is the CVE of the original POODLE attack? The CVE-ID associated with the original POODLE attack is CVE-2014-3566. F5 Networks filed for CVE-2014-8730 too).

What can be stolen in a POODLE attack?

All of your browser data could be stolen in a POODLE attack, including your passwords and session cookies. Your information can also be stolen in other types of cyberattack. What is a cyber attack?

Any web server that supports SSL 3.0 and older versions of TLS is prone to POODLE attacks. Luckily, recent versions of browsers like Chrome, Firefox, and Safari block websites that still use SSL 3.0 and old versions of TLS (1.0 and 1.1). It’s best that servers are configured to only support newer protocols like TLS 1.2 and 1.3 to prevent POODLE attacks.

Why do web servers support old protocols? It's likely that servers like these are using extremely old software and configurations.

What's the difference between SSL, TLS, HTTP, and HTTPS?

• SSL (Secure Sockets Layer) is the original and largely deprecated security protocol invented in the 1990s.
• TLS (Transport Layer Security) was an upgrade to SSL and is used to secure most websites. The most recent version of TLS was released in 2008.
• When a website starts with HTTPS it is encrypted using SSL or TLS. It is also known as end-to-end encryption.
• When a website begins with HTTP, avoid it because it isn't secure.

What can you do to prevent POODLE attacks?

POODLE attacks teach us the importance of self-security in a world that can treat encryption like a magic wand.

Most of us believe that encryption is the most important part of SSL and TLS, but verification and authentication is just as crucial. If you aren’t interacting with who you think you are, an attacker can easily hit you with a man-in-the-middle attack. This means that they can position themselves between you and the person or website you’re trying to engage with, manipulating the flow of information – or money, in some instances.

Knowing the difference between a scam and a genuine message, email, or phone call will protect you against social engineering attacks. POODLE attackers rely on you not knowing the difference to get past the first step in a typical POODLE attack.

Here are some tips on preventing POODLE attacks

1. Know what a social engineering scam looks like: During a POODLE attack, the attacker usually uses a social engineering scam to try and trick you into running JavaScript on your browser.

These scams often come disguised as phone calls from your ISP or customer service departments. They can also look like phishing emails and text messages, designed to get you to click on a link that, in this case, could force your browser into running JavaScript.

2. Deactivate SSL 2.0 and 3.0: If you own or are the administrator of a web server, deactivate or remove SSL versions 2.0 and 3.0. They contain dangerous security flaws for users. Instead, use the latest versions of TLS for maximum user security.
3. Upgrade your browser: You should never ignore notifications to update your browser, since they usually fix security vulnerabilities. Luckily, SSL 3.0 was more or less deprecated when the security team at Google found a major POODLE vulnerability in 2014. But it's scary that up until then SSL 3.0 was still widely used. So you never know what danger you could be in if you continue to put off updates.
4. Use a VPN on public Wi-Fi: Think again before you work from coffee shops (or any other public place) and connect to their free Wi-Fi. For a POODLE attack to work, you and the attacker have to be connected to the same network. And because public Wi-Fi isn’t encrypted, you’re giving attackers (who naturally lurk around Wi-Fi hotspots) a huge head start. The NordVPN app will encrypt your connection wherever you are and help keep your precious information hidden from interceptors.