Appychip

Keep Learning & Keep Sharing

Security 

What is POODLE and TLS_FALLBACK_SCSV? How To Check if the SSL Connection Supports TLS_FALLBACK_SCSV Using Testssl Tool

Ajeet , , , , , , , , ,

What is TLS/SSL?

SSL stands for Secure Socket Layer and is a technology to secure the connection and keep the data safe between two machines (client/server).
TLS stands for Transport Layer Security and is an updated version of SSL. Following are few Versions with the latest one at bottom:

  • SSLV2
  • SSLV3
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3

How HTTPS/TLS/SSL works?

Please watch this video first to understand how https/ssl/tls works:

What is POODLE?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. In this vulnerability, an attacker which is MiTM(Man in The Middle), first
(1) downgrade the TLS connection to SSLV3
(2) Then if the cipher suits uses RC4 or Block Cipher in CBC mode, attacker can retrieve partial bytes of encrypted text and later on can get full plain text.

What is TLS_FALLBACK_SCSV?

SCSV stands for Signalling Cipher Suit Value. TLS_FALLBACK_SCSV is a mechanism to ensure that the downgrade of TLS/SSL version should be valid and defer the connection if its not a valid one.

How does it work?

  • TLS_FALLBACK_SCSV is recommended for a client that it is knowingly repeating a SSL/TLS connection attempt to a lower protocol version.
  • When server sees TLS_FALLBACK_SCSV signal it compares the highest protocol version it supports to the version indicated in client hello message.
  • If the client’s version is lower, then the server responds with a new alert called inappropriate_fallback.
  • The point here is that, the server knows that the client support something better, so the connection should have negotiated that.
  • The inappropriate_fallback alert is a “fatal” error i.e. the SSL/TLS connection is aborted.

Example

  • Client and Server both have TLSv1.2
  • Client sends “client-hello” message with TLS_FALLBACK_SCSV and TLSv1.2
  • MiTM (Man in The Middle) tries to downgrade the version and sends the request with TLSv1.1
  • MiTM repeatedly interfere and tries to downgrade the version
  • Server knows TLSv1.2 is available at client hence the connection should be aborted

What if the client doesn’t support the server’s best protocol (example – TLSv1.2)?

If the client doesn’t support the best version available at server. The server agrees on choosing the best available TLS version at client. so if server has TLSv1.2 and client supports TLSv1.1, the connection will happen on TLSv1.1

What if only SSLV3 is supported by the client?

  • In this case the SSLV3 will be agreed, so no downgrade.
  • Attack only works with block ciphers in CBC mode.
  • If the cipher suit is RC4 then the attack is likely to fail.
  • If SSLV3 is disabled on server or the client, POODLE will not happen.
  • Only reason to support SSLV3 for server is to support IE6 users because IE6 doesn’t enable TLSv1.0

How to prevent Nginx from POODLE?

Here is a post explaining “How you can prevent Nginx from POODLE attack against SSLV3?

How to check if TLS_FALLBACK_SCSV is supported?

testssl is a command line tool to check if TLS_FALLBACK_SCSV is supported or not. You can run the following command with -Z option and providing the URL to test on:

# Download testssl with following command
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
# Test by running following command
./testssl.sh -Z google.com