A small number of businesses may be unable to disable the SSL 3.0 protocol because of compatibility issues with older systems/browsers. For this edge case scenario, the POODLE (Padding Oracle On Downgrading Legacy Encryption) attack can be mitigated by disabling the CBC-mode ciphers with SSL 3.0.
DigiCert does not recommend nor support this workaround. However, if for compatibility reasons you cannot disable the SSL 3.0 protocol, you need to disable the CBC-mode ciphers with SSL 3.0.
Problem with Disabling the CBC-Mode Ciphers
The SSL 3.0 protocol has only two cipher types to choose between: CBC or RC4. By disabling the CBC-mode ciphers, you are forced to rely on the RC4 stream cipher, which has its own biases (RC4-biases). The RC4 key stream turns out to be somewhat predictable. This lack of entropy (disorder) opens the RC4 stream cipher up to a number of practical attack vectors (paths).
The lack of randomness in RC4 was first evidenced in the WEP protocol that was used to protect WiFi networks. Here it was discovered that the RC4 keys differed only in the first three bytes.
The RC4 biases in the SSL 3.0 protocol were discovered in the RC4 keystream bytes where it was found that the chances of the second bit of the RC4 keystream being 0 have 1/256 probability. The biases increase if the same plaintext is retransmitted over and over again using TLS and RC4 encryption.
CBC-Mode Ciphers Vulnerable to the POODLE Attack
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
- SSL_RSA_WITH_IDEA_CBC_SHA
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
- SSL_RSA_WITH_DES_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
- SSL_DH_DSS_WITH_DES_CBC_SHA
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
- SSL_DH_RSA_WITH_DES_CBC_SHA
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
- SSL_DHE_DSS_WITH_DES_CBC_SHA
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
- SSL_DHE_RSA_WITH_DES_CBC_SHA
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
- SSL_DH_anon_WITH_DES_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_DH_DSS_WITH_AES_128_CBC_SHA
- TLS_DH_DSS_WITH_AES_256_CBC_SHA
- TLS_DH_RSA_WITH_AES_128_CBC_SHA
- TLS_DH_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DH_anon_WITH_AES_128_CBC_SHA
- TLS_DH_anon_WITH_AES_256_CBC_SHA
