TLS (transport layer security), also known as SSL (secure socket layer), is the cryptographic protocol that enables billions of people across the world to use the internet by protecting their privacy and data security. It forms the very foundation of website security.
The strength of TLS protection lies in the encryption algorithms and security parameters that it works on. These algorithms and parameters differ from one SSL/TLS version to another. When a security element of a TLS version is found to be seriously vulnerable, that version of SSL/TLS is deprecated and is replaced by a newer version.
Until now, there have been six versions of SSL and TLS in total, with TLS 1.3 being the latest of them. Today, TLS 1.2 and TLS 1.3 are the only two TLS versions that are secure enough to be trusted by major browsers.
TLS protocol is primarily used in communication between servers and clients. Therefore, the latest TLS protocol is used only if the client and the server support it. If both entities support a secure TLS protocol version for their communication, then it’s virtually impossible for an attacker to execute a man-in-the-middle (MiTM) attack.
Now, here comes the TLS downgrade attack.
A TLS downgrade attack tricks the client and server into using older protocols or insecure parameters for encrypting the information in transit. Once that is done, the attacker tries to intercept and/or alter the information by exploiting flaws in the older protocol versions or weak cryptographic algorithms.
POODLE, FREAK and Logjam are three of the deadliest downgrade attacks that we’ve seen to date. All these attacks are different in nature and rely on different methods to weaken security. Let’s see each of them one-by-one to learn about them and how you can protect your server against them.
POODLE (padding Oracle on downgraded legacy encryption) is arguably the most infamous downgrade attack that we’ve witnessed. It exploits the TLS connection by downgrading the TLS connection to SSL 3.0. Once the connection has been downgraded, an attacker only needs to make 256 requests over SSL 3.0 to crack an encrypted message of one byte. This vulnerability led to SSL 3.0’s deprecation across the internet.
The most obvious and easiest way to protect your web server against POODLE attack is by simply disabling support for the SSL 3.0 protocol version. Ideally, you shouldn’t be using any TLS version preceding TLS 1.2 as all of them have been found to be vulnerable.
The FREAK (factoring RSA export keys) attack exploits a class of deliberately weak export cipher suites introduced decades ago by the US government agencies to decrypt all foreign encrypted communication. FREAK works by tricking the server into using an export cipher suite that uses RSA of moduli of less than 512 bits. This key can be easily cracked by today’s computing power.
If you’re not sure whether your website is vulnerable to FREAK or not, then you can go to this website to check it. If your website is vulnerable, then you must disable support for any export-grade cipher suites in software using SSL/TLS.
The Logjam attack allows an attacker to intercept an HTTPS connection by downgrading the connection to 512-bit export-grade cryptography. This is quite similar to the FREAK attack but except that Logjam attacks the Diffie-Hellman key exchange instead of the RSA key exchange.
To protect your server from getting attacked by Logjam, you must disable support for all DHE_EXPORT cipher suites on your servers. This won’t let an attacker downgrade the connection to the 512-bit DH export key.
The reason why downgrade attacks work is because the attackers are somehow successful in tricking server and client into falling back to using insecure protocols or weakened parameters. This small window of opportunity is open for them because you haven’t closed it down by disabling support for weak protocols and parameters.
To protect against all known and unknown TLS downgrade attacks, the best thing you can do is update all your systems to the latest versions of TLS. That way you won’t have to support any backward compatibility. Then, you’ll be able to safely disable your server support for all TLS protocols except TLS 1.2 and 1.3 as a rule of thumb. These two protocols don’t consist of any of the same major vulnerabilities as their predecessors and that’s why they’re quite safe to use.
Learn more about lurking TLS threats.