The latest evolution of a high-profile security flaw potentially exposes UK banks' web site traffic to eavesdropping.
The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw first surfaced in October and was thought to affect only the obsolete - but still widely used - Secure Sockets Layer (SSL) 3.0 crypto algorithm. Researchers revealed last week that the POODLE flaw also affects versions of TLS (short for Transport Layer Security).
More ReadingSainsbury's Bank web pages stuck on crappy 20th century cryptoHow long is your password? HTTPS Bicycle attack reveals that and moreHSBC COO ‘profoundly apologises’ for online outageHalf of UK financial institutions vulnerable to well-known crypto flawsCrimestoppers finally revamps weak crypto. Take your time guys
"A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical," he warned.
Qualys, through SSL Labs, has developed a free scanning tool designed to allow website owners a means to check their website for cryptographic problems, including, but not limited to, POODLE.
A review of UK banking website using Qualys’s SSL/TLS scanning tool shows that many are vulnerable to POODLE, including RBS (max: TLSv1, min: SSLv3); OneAccount (max: TLSv1, min: SSLv3); HSBC (max: TLSv1, min: SSLv3); Halifax (max: TLSv1, min: SSLv3); NatWest (max: TLSv1, min: SSLv3); Cooperative Bank (only TLSv1); Barclays (max: TLSv1.2, min: SSLv3); Tesco Bank (max: TLSv1, min: SSLv3) and Santander (max: TLSv1.2, min: TLSv1).
"Security (transport-layer or otherwise) at nearly all major UK banks is pretty abysmal," security consultant Paul Moore told El Reg.
"TLSv1 alone is 15 years old and of the above, only Santander supports the strongest protocols. That gives you some insight into how antiquated our banking system really is," he added.
Qualys estimates that around 10 per cent of web servers are vulnerable to the POODLE attack against TLS.
A hostile attacker might be able to exploit the POODLE bug to to unwrap the contentions of an encrypted transmission, leaving passwords, login cookies and other sensitive data open to wiretapping.
Disabling SSL 3.0 support in web applications is recommended since there's no patch as such, as an advisory by US CERT explains. The same researchers who unearthed the Poodle vulnerability have however been able to develop a fix for TLS-based systems.
Virgin laid bare
We began looking into this issue early last week, before the latest twist in the POODLE bug saga in response to a reader request. El Reg reader Richard G came to us after getting nowhere in complaining to his banks after discovering his RBS One Account (formerly the Virgin One Account) was still running SSL 3.0.
Sure enough it turned out that RBS is sticking with SSL 3.0 for its online banking website, weeks after the discovery of the POODLE vulnerability that made the already antiquated cryptographic protocol hopelessly unsafe.
Browser makers have updated their software in the aftermath of POODLE. Richard G told us that support for the out-of-date protocol was causing him all sort of problems. "My online banking no longer works with Firefox (support for SSL 3.0 dropped in FF 34)," Richard explained. "Or Chrome (dropped a while back). Or IE 11 when it is fully patched. Connections aren't allowed with Firefox or Chrome on Android either for the same reasons."
"The browsers have moved to drop SSL 3.0 and thereby cut the risk. That's very commendable. Unfortunately RBS hasn't sorted out its end," he added.
"I did contact RBS to outline the problem and ask if it was planning on moving to a protocol that wasn't actually compromised. The person I talked to didn't understand, and they suggested that it was the different browsers at fault," Richard explained.
Moore, who helped us confirm that our reader had cause for concern about the security state of RBS's website, commented: "I wonder if it is scared of dropping all those customers on really old browsers."
However, obsolete browsers are currently in minimal use so the "backward compatibility" argument justification is weak, according to Moore. "Although disabling SSL 3.0 should be mandatory, it’s clearly not a priority," Moore concluded. "We should expect and demand better of our financial institutions."
POODLE against TLS affects TLSv1, 1.1 and 1.2 and as the foundation of nearly all websites requiring in-transit encryption, so the only workable option is to patch systems. "That doesn’t negate the need to remove support for SSL 3.0, nor promote its use until a suitable patch has been applied," Moore added.
El Reg left voicemails for RBS's personal banking PR specialists last week but are yet to hear back with anything substantive.
The pre-login page here now suggests using IE. "In other words, if your browser is rejecting the site for security reasons then use one that doesn't check. Brilliant. Presumably the number of helpline calls is increasing," Richard concluded. ®
For banks that support both TLSv1 and SSL 3.0 the system should work in the following way.
- Older browsers (IE6 on XP) can connect using SSL 3.0, which is now defunct and insecure.
- Modern browsers connect over TLSv1, falling back to SSL 3.0 as/when necessary.
- Bleeding-edge browsers (FF34, Chrome v39 et al) implement a minimum fallback level (currently TLSv1). If a session tries to fallback to SSL 3.0, it will refuse the connection on the grounds that SSL 3.0 is now insecure.
Thanks to Paul Moore for this additional piece of explanation.