GUIDE

The POODLE Exploit and How To Defeat It

The POODLE hacking method gives snoopers the opportunity of cracking the encryption that protects your Web transmissions. The attack exploits a weakness in the method of encryption used to protect HTTPS protocol. This security weakness threatens the success of eCommerce, because HTTPS provided the security that consumers needed in order to confidently enter their credit card details into a Web page.


Secure Socket Layer

In the early days of the World Wide Web, the Netscape browser dominated. The free browser’s owners, Netscape Corporation wanted to encourage the public usage of the Internet and discovered that a free and automatic security system would encourage the growth of sales over the Internet, thus making the Web a place to shop. They invented the Secure Socket Layer to provide this security.

Computers that communicate with each other all need to follow the same set of rules. They need to use a common book of codes so that the receiver of a request can understand the contents of each message that it gets in and package the reply in terms that the requestor can understand. This set of rules is called a protocol.

The standard protocol for requests and delivery of Web pages is called the Hypertext Transfer Protocol. The “http://” at the front of a Web page address indicates that the browser is using this standard to access the code for the Web page. You will often see “https://” instead. This stands for Hypertext Transfer Protocol Secure. This is that protocol that Netscape invented because it is HTTP with added SSL.

SSL became an industry standard and HTTPS has quickly become the preferred method for requesting and delivering Web pages. The transfer of data between the two computers in an HTTPS connection is encrypted. When the two computers establish a connection, the client (the requestor) asks for verification of the server’s (the replier) identity. This is provided by a certificate, which is held on a third party computer. The certificate includes a public encryption key, which the client uses to encrypt all subsequent messages.

Back to top


SSL Problems

SSL evolved up to a third version, known as SSL 3.0. However, a number of security weakness raised concerns about the system. A hacker who was able to tap a wire on the Internet, or attract traffic through a fake WiFi hotspot, could intercept the certificate request and provide his own copy. The fake certificate would mimic the real one in every detail, except for the encryption key. The duped client computer would then use the hacker’s key to encrypt all messages. The hacker would then be able to read all the information that the client computer sent, including the owner’s credit card details and log in credentials.

This type of trick is called a “man in the middle” attack. The hacker software decrypts the client’s message, stores it, re-encrypts it with the server’s actual encryption key and then sends it on. Replies traveling from the server to the client are intercepted, re-encrypted and then forwarded. Thus, neither party realizes that there is a snooper standing between them.

Back to top


Transport Layer Security

A further type of man in the middle attack on SSL 3.0 made the Internet Engineering Task Force declare SSL defunct in 2015. A more secure alternative to SSL had already been developed. This is the Transport Layer Security protocol, which is usually referred to as TLS. The problem with fake certificates could be resolved procedurally, but a defect in the encryption system meant that the whole system was fundamentally flawed. The hack that killed off SSL revolves around the block method used to transform text to render it encrypted.

TLS is now maturing and has moved beyond its first version. As you will read later, TLS 1.0 can be tricked into rolling back to SSL 3.0 procedures, so you also need to protect yourself against that version of the protocol.

Back to top


What is the POODLE SSL Exploit?

The big security weakness with the encryption method used for SSL is the basis of POODLE. POODLE stands for “Padding Oracle On Downgraded Legacy Encryption.” The “Downgraded Legacy” part of the name will be explained in the next section of this report. However, let’s first look at where this malware exists.

The POODLE exploit program does not have to be resident on your computer. It can be introduced anywhere between your computer and the server that your browser intends to request a Web page from. Like many encryption systems, SSL uses cipher-block chaining. This takes a chunk of text and arranges it into a block. The hack injects one test byte into each block of text to reveal the encryption key.

The method relies on the ability to inject JavaScript into the code of a Web page that is being delivered. This event could occur at the server, during transmission, or on the receiving computer. So, you can’t protect yourself against this attack with anti-malware software, because the malicious program is most likely not resident on your computer.

Back to top


Backwards Compatibility

The ability to communicate with any computer in the world provides the driving force behind all networking, Internet, and Web protocols. Unfortunately, not everyone keeps their software right up to date. Some people still run older versions of browsers and some Internet software producers take time to create new versions of their programs.

With this in mind, it is common practice for Internet protocols to include some form of backwards compatibility. The negotiation procedures for TLS follow this principle. When a client tries to open a session with a server, the initial contact will be made following the TLS protocol. However, if the server doesn’t understand that request, it is assumed that it is still running SSL 3.0. The client computer will then switch to SSL 3.0 procedures to try to get a connection to the server.

This is the “Downgraded Legacy” part of the POODLE name. The developers of POODLE couldn’t hack TLS. However, they discovered this backward compatibility feature in the protocol’s procedures. By forcing a client to switch to SSL 3.0, the hackers were able to implement the well-known cipher-block chaining attack.

As this is a man-in-the-middle exploit, the server may well be capable of using TLS. However, the client computer does not know this, because the hacking software pretends it is the server.

Back to top


Disabling SSL 3.0 in your Browser

You don’t need to buy any anti-virus software in order to defeat POODLE. You just need to block your browser from trying a request in SSL 3.0 when it gets no response using TLS. The fix is particularly easy to implement for Internet Explorer and Google Chrome and is the same no matter which operating system you run. If you use both you only have to block SSL 3.0 in one of them and the other will automatically have the new settings.

Disable SSL 3.0 in Internet Explorer

You can disable SSL 3.0 in Internet Explorer by following these steps.

1. Go To Internet Options

Click on the cog symbol at the top right of the browser and select “Internet Options” from the drop-down menu.
Internet Explorer Menu

2. Go to Advanced Internet Options

Click on the Advanced tab in the Internet Options screen and scroll down to the Security section in the Settings panel.

SSL settings for Internet Explorer

3. Deselect SSL 3.0

Deselect the “Use SSL 3.0″and “Use TLS 1.0” checkboxes. Click the Apply button and then press OK.

Instructions for Google Chrome

The underlying network settings of Google Chrome are exactly the same as those for Internet Explorer. You just get to the Settings screen by a slightly different route.

1. Go to Google Chrome Settings

Click on the menu at the end of the address field at the top of the browser and select Settings from the drop-down menu.

Google Chrome menu

2. Go to Advanced Chrome Settings

Scroll down in the Settings page and click on Advanced.

The Advanced Settings option in Google Chrome

3. Go to Proxy Settings

Continue down to the System section and click on the square next to “Open proxy settings.”

Open proxy settings in Google Chrome

This will open the Internet Properties window.

4. Open Advanced Proxy Settings

Click on the Advanced tab and scroll down to the Security section in the Settings panel.

5. Deselect SSL 3.0

Deselect the “Use SSL 3.0″and “Use TLS 1.0” checkboxes. Click the Apply button and then press OK.

SSL settings for Internet Explorer

Instructions for Opera

SSL 3.0 usage is blocked by default in Opera 12. Therefore, the easiest way to protect yourself from POODLE is to upgrade your browser.

1. Download the latest Opera Build

Navigate to the Opera website’s Download page. Download the relevant build for your system and install it.

The Opera browser Download page

2. Finish Install and Overwrite all Opera Installtion

Let the installer run through. Click on the Terms of Use agreement and the wizard will overwrite your old Opera version with a new POODLE-protected version.

Instructions for Mozilla Firefox

The Mozilla system is a little more complicated. You need to open up a special page on your browser with a hidden address.

1. Go to About Config Settings

Type “about:config” in the address field of the browser. You will be warned off with a medieval curse. Click on “I’ll be careful, I promise!” to continue.

The Firefox configuration warning message

2. Search for TLS

Enter “tls” in the search box and then double click on “security.tls.version.min.”

TLS Settings for Firefox

3. Change TLS setting

Enter “2” in the answer pop-up. This will give you TLS version 1.1 as your minimum security protocol. Click on OK to save this setting.

Firefox TLS settings

Instructions for Microsoft Edge

If you run Windows 10 you will have Microsoft Edge. This is the replacement for Internet Explorer and it was written after the POODLE exploit occurred so it has no capabilities of rolling back to SSL 3.0. You don’t need to do anything to disable SSL 3.0 in this browser because it already excluded.

Back to top


Other Browser Vulnerabilities

Web browsers are the gateway to the Internet for the majority of the public and that fact makes them a frequent target for hackers. The producers of browsers are aware of newly discovered weaknesses and produce updates frequently to close off these access routes for malicious attacks. This is why it is important to check regularly for new versions of your favorite browser and install them. The Qualys Browser Check is a quick way to check that your browser and its plug-ins are all up to date.

Adobe Flash Player

Adobe Flash Player has been found to allow a good route for hackers into browsers and so most security experts recommend not to install its browser extension version. The cookies that Flash downloads onto a computer do not get cleared by the standard browser cookie deletion functions. You can control the inclusion of Flash code in the Web pages you visit with Flashblock, which is available for Firefox.

Block Flash in Chrome

In Google Chrome, you can choose to block or control Flash content by following these instructions.

  1. Click on the menu at the end of the address field and select Settings from the drop-down menu.
  2. Scroll down in the Settings page and click on Advanced.
  3. Continue down the page and click on the “Content settings” arrow in the Privacy and Security section.
  4. Click on the Flash arrow in the “Content settings” page.
  5. Choose whether to block Flash entirely, or to allow it, but only run with specific approval by moving the two settings sliders at the top of the page.

Block Flash in Internet Explorer

In Internet Explorer you can stop Flash inserts running on the pages you visit by controlling the Active-X settings.

  1. Click on the cog at the top right of the browser. Select Safety from the drop-down menu and then click on “ActiveX Filtering” in the sub-menu.
  2. A tick will appear beside this option.
  3. Test the block at the Adobe Flash Player help page.

Block Flash in Microsoft Edge

In Microsoft Edge you can block Flash by following these simple steps.

  1. Click on the three dots menu icon in the top right of the browser. Select Settings from the drop-down menu.
  2. In the Settings menu, scroll down and click on “View Advanced Settings.”
  3. Click the “Use Adobe Flash Player” slider to Off.
  4. Test the block at the Adobe Flash Player help page.

Social Media Buttons and Tracking Libraries

When you visit a Web page that has a row of social media like buttons on it, those buttons record your visit. Therefore, even if you don’t have a Facebook account, Facebook records everywhere you go on the Web. Twitter and Instagram also collect data through the presence of their buttons on a page even if you don’t click on them.

Many sites contain spaces for adverts that are actually delivered by other companies. The third party advertising sector on the Web is dominated by GoogleAds. Website owners can earn a little money by displaying ads. Web advertising can be a lot more sophisticated than bill boards or press adverts because they have the capability to collect data on the people who visit participating websites.

You may have noticed that if you visit a website, considering buying their products, but then leave without buying anything, you then see an advert for that company and its products on every subsequent page you visit. This phenomenon is called retargeting, or remarketing and it is made possible by tracking software.

Trackers collect your personal information and data about your computer, your browser, and your browsing activities. These factors are known as “user agents” and can help identify you even if you disguise your identity with a VPN.

You can defeat tracking by installing a browser extension.

Windscribe produces a browser extension for Google Chrome, Opera, and Firefox. This is a free VPN service, but it includes other privacy utilities, which include a tracker blocker and a social media button remover. These options will protect your computer even when the VPN is not turned on.

Privacy protection in the Windscribe browser extension

The “Split Personality” option of the extension sends out fake settings data for those user agent factors that trackers and identity detection software can use to identify you even if you change your IP address with a VPN.

The Windscribe add-on has a feature called Secure Link, which gives a report on the security risks in each page that loads into your browser.

A Secure.Link report

The Windscribe extension is available for Google Chrome, Firefox, and Opera browsers. Unfortunately, there is no version for Internet Explorer or Microsoft Edge.

Adblock Plus will block tracker codes and remove social media buttons from the sites you visit as well as blocking advertising. This is a free add-on and it is available for Internet Explorer and Microsoft Edge.

Privacy Weaknesses

The open nature of Web technology creates opportunities for hackers to target an individual through the small pieces of information that are contained in the administration headers on the front of every message that crosses the Internet.

The format of the addresses that are used for Internet communication means that each person can be traced to a location. This weakness is exploited by websites that employ regional restrictions to limit access to their content. Governments that want to block access to certain sites also use this information to prevent citizens from reaching those addresses.

VPNs mask a user’s identity by substituting a temporary IP address for the customer’s real address. You can appear to be in another location and the real destination of each connection that you make is hidden from the Internet service provider, so that entry point to the Internet cannot be used to control access to sites.

VPNs create privacy by acting as a substitute for the real source of the connection. Thus, when your computer connects to a Web server, it is actually connecting to the VPN server, which then communicates with the desired server on behalf of the customer’s computer.

Back to top


POODLE SSL Exploit Conclusion

The complexities of the World Wide Web involve a large range of technologies and a lot of points of contact in order to deliver Web services seamlessly. Any system that involves different companies and technologies to make it work creates many points of potential failure. It is these weak points that hackers exploit.

Cybersecurity is a moving target. As soon as one weakness is shut down, hackers will find another. The POODLE exploit is an example of how the very clever people who want to make money for nothing can overcome the strongest defenses.

In the case of SSL, the “good guys” discovered the protocol’s weaknesses and replaced it with an entirely new method of security: TLS. However, the good intentions of those who designed TLS created a weakness that hackers can exploit. The backwards compatibility of TLS to SSL 3.0 offered criminals an opportunity to get back to their old tricks.

Keep all of your software updated to keep ahead of security weaknesses. The fight for security and privacy is a constant struggle. Don’t give up your vigilance. Keep yourself safe.

Image Credit: Marc Bruxelle // ShutterStock


Stephen Cooper Stephen Cooper is a techy geek with a social edge. Downshifting from a successful IT career in Europe, Cooper moved to the Caribbean and now keeps up to speed with Internet technology poolside.

Related Coverage


One response to “The POODLE Exploit and How To Defeat It

  1. Great informative and well articulated article! I never realized the security risks associated with check marking the boxes for“Use SSL 3.0″ and “Use TLS 1.0” since I’d often times change those settings as part of troubleshooting issues connecting to the internet or running into stumbling blocks when visiting certain sites. I had once thought to myself, “…of the items listed, 3.0 is a later edition than 2.0 so why not?” But thanks to your simple and easy-to-understand explanation of the brief history, terminology, and encryption hack methods, I now have a better grasp and understanding of what risks I open myself up to when modifying my internet settings! So thank you, again, for taking the time to put this together. I will definitely be sharing this page with others!

Leave a Reply

Your email address will not be published. Required fields are marked *