What is a downgrade attack?
In software security, downgrade attacks are network attacks that force computers to forgo a secure type of connection (i.e. encrypted connection) and resort to older, more vulnerable versions of software in order to exploit known vulnerabilities against them.
Also known as version rollback attacks, downgrade attacks have been especially dangerous in TLS clients supporting earlier versions of TLS, You can find more information about the imperfections of older TLS versions in our TLS 1.0 deprecation article.
As discussed in the next section, downgrade attacks are usually executed as a component of Man-in-the middle (MITM) attacks.
What is a man-in-the-middle attack?
In a man–in–the–middle (or MITM) attack, communication between two devices in a computer network is compromised by a third party – the “man in the middle.” In a passive MITM attack attackers “tap” the communication, capturing information in transit without changing it. If attackers attempt to to modify or tamper with the information itself they are committing an active MITM attack.
MITM attacks are one of the earliest known forms of network attacks, being implemented as early as the 1980s. They have long been used by cyber crooks for thievery, fraud, spying, or destroying data.
MITM attacks exploit the fact that a computer network can be manipulated in such a way that all network devices send their traffic to the attacker instead of the router or other nodes. MITM attackers will often use tactics such as phishing to redirect traffic to websites that they designed to look like legitimate ones. A very common way to launch a MITM attack is by creating a fake node on an publicly-available computer network, such as a coffeeshop’s WiFi network.
Being a “man in the middle,” the attacker can manipulate the intercepted content as they see fit before relaying it to its intended destination. In most cases, victims of a MITM attack will never be aware that they are under attack.
There are 3 most known vulnerabilities by which MITM attackers launch their invasion. POODLE, LogJam, and FREAK.
- POODLE Attack. Discovered in 2014, The Padding Oracle on Downgraded Legacy Encryption (POODLE) attack forces modern internet browsers and websites to reduce the security protocol from TLS to SSL3.0. Hackers only need to make a maximum of 256 SSL.0 requests to decrypt one byte of data. Hackers implementing POODLE can steal personal information such as cookies and passwords resulting in a breach of a user’s confidential data on a website.
- LogJam Attack. The LogJam attack enables an MITM hacker to downgrade the connection to a lowly 512-bit export-grade cryptography. With such vulnerable encryption, all data that is transmitted through the connection gets intercepted and manipulated. Logjam attacks exploits the Diffie-Hellman key exchange which has been often used in online bank transactions and email exchanges.
- FREAK Attack. The Factoring RSA Export Keys (FREAK) attack exploits the vulnerability in the 1990s SSL/TLS protocols introduced for compliance with the US government’s cryptography export regulations. The policy then was to limit any exported software to a maximum of 512-bit of RSA key so that they can easily be decrypted by the National Security Agency (NSA). Although the FREAK attack was only exposed in 2015, the protocol vulnerabilities had existed as early as the 1990s.
What are the security concerns with TLS 1.3’s 0-RTT mode?
TLS 1.3 offers a feature called 0-RTT (zero round trip time) Resumption mode, in an effort to enhance performance.
When a browser successfully completes a TLS handshake with a server for the first time, both the client and the server can store a pre-shared encryption key locally. This is known as the resumption master secret.
If the browser establishes a connection with the server again at a later time, it can use this resumption key to send encrypted application data in its first message to the server, without having to perform the handshake a second time.
However, 0-RTT resumption has a caveat; resumption data require no interaction from the server, which means that an attacker can capture encrypted 0-RTT data and re-send them to the server, or replay them. In the case the server is misconfigured, it can potentially accept replayed requests as valid; essentially, allowing the attackers to perform unsanctioned actions.
The solution to this issue is ensuring that all 0-RTT requests are idempotent.
Idempotent requests can be safely used as 0-RTT requests, since replaying them will have no effect. A quick rule of thumb would be to only use GET requests with 0-RTT resumption.
What is an idempotent request?
In computer science, an operation is idempotent if it can be performed multiple times without having a different result than the first time it was run.
For example, a POST HTTPS request that updates a counter in the database is not idempotent because it alters the state of the web application, while a GET request to the main web page is.
How does SSL.com protect your website from downgrade attacks?
In order to shield your website from TLS downgrade attacks, the practical approach is to update it to the most recent version of TLS. This will allow you to refuse support for any backward compatibility and disable your website’s support for older versions of TLS.
SSL.com offers 2048+ Bit SHA2 TLS digital certificates. With this level of encryption, you can readily protect your online assets from POODLE, Logjam, and FREAK attacks.
SSL.com’s TLS certificates safeguards your website from MITM attacks by encrypting all data with a secret key that is only known to the original client and server. MITM attackers are not able to read or tamper with the encrypted data without knowledge of this secret key.