Downgrade attacks have been an issue with TLS and SSL protocols and may constitute a severe risk if left unchecked.
To learn more about a downgrade attack, how it works, and how to prevent it, read below.
Downgrade attack definition
A downgrade attack is an attack that seeks to cause a connection, protocol, or cryptographic algorithm to drop to an older and less secure version. It is also known as a version rollback attack or bidding-down attack.
This attack aims to enable the exploitation of vulnerabilities that are associated with earlier versions. It is enabled by backward compatibility – the principle of ensuring interoperability with legacy servers. If a downgrade attack is successful, it allows other attacks to be performed and can lead to data theft, including credentials, personal financial and medical data, and more.
Downgrade attacks are frequently launched against the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, whose purpose is to secure traffic over the internet via cryptography.
Downgrade attacks seek to downgrade the use of HTTPS in web applications to HTTP, though these will not be explored here in detail. They can also be used against mail servers to downgrade their cryptographic protocols, such as STARTTLS, and force emails to be sent as plaintext.
Read our blog post on What Is TLS, SSL, HTTP & HTTPS? How Do They Work Together? to learn more about the connection between the SSL/TLS protocols and HTTP/HTTPS.
How does a downgrade attack work?
Typically, a downgrade attack is part of a larger attack scenario, as the downgrade in itself does not lead to a system compromise. It creates favorable conditions (vectors) for further attacks, such as cryptographic attacks.
A common approach is to achieve the downgrade via a man-in-the-middle attack (MITM). This enables attackers to interfere with the traffic of the user. After that, they will use their position in the middle to force the server to downgrade to an older protocol TLS or SSL version – also known as a downgrade dance.
Depending on the specifics of the attack, a MITM may be used to passively capture traffic between a client and server once the downgrade is achieved. At the same time, it can also be used to actively interfere with traffic and send various requests to the server to decipher the cryptographic key, the session cookie, or something else.
The above is only one possible scenario of exploiting the vulnerabilities that a downgraded protocol version reveals. Learn more about the different types of downgrade attacks below!
Types of TLS downgrade attacks
Following are some of the main types of attacks that could use a downgrade approach to achieve their aims.
Whether a downgrade is required depends on the status of the target – if a system is already using old or obsolete protocol versions (which includes, at minimum, all versions of SSL), then a downgrade is not necessary. However, this is less likely, so a downgrade attack will usually be part of the below scenarios.
Running the code will allow the attacker to position themselves in the middle and begin sending requests to a server running some version of TLS to establish a secure connection and then drop these attempts. After a while, if the server supports SSL due to backward compatibility, it will interpret these unsuccessful connection attempts as a cue to switch to SSL 3.0 instead of TLS.
Once it has downgraded the version, the attacker can move on to exploiting a vulnerability found in the cipher block chaining (CBC) mode of encryption that is used in SSL 3.0.
At this stage, a padding oracle attack includes sending requests with varying input to the server and monitoring its responses. Based on the responses, an attacker can slowly reveal the encrypted contents of the ciphertext. This exposes the session cookie, hijacks a user’s session, and possibly steals their credentials and data.
The FREAK attack (Factoring RSA Export Keys) utilizes a MITM and a downgrade attack scenario. It is directed at TLS and SSL implementations that allow export-grade ciphers that use RSA encryption.
Instead of downgrading the whole protocol version, attackers will use their position in the middle between client and browser to request that the server switch from a standard RSA cipher suite to an export-grade one. This is done as part of the cipher suite negotiation process in the client Hello message to the server.
Once the server switches to this less-secure cipher suite, attackers can gain access to the suite’s decryption key and decrypt and inject traffic.
The LogJam vulnerability operates similarly to FREAK. This attack is launched against servers that use TLS with a Diffie-Hellman key exchange. Using a man-in-the-middle approach, attackers force the server’s TLS protocol to downgrade to using a 512-bit Diffie-Hellman export-grade key exchange algorithm (i.e., DHE_EXPORT).
After causing the downgrade, an attacker can proceed with cracking the encryption parameters and thereby gain access and control over the connection.
The BEAST attack (Browser Exploit Against SSL/TLS) seeks to exploit a vulnerability found in CBC mode in the TLS 1.0 and SSL protocols. It is similar to the POODLE attack, though the conditions required to execute a BEAST successfully are difficult, if not impossible, to achieve, making it an impractical attack.
Like other attacks in this category, BEAST relies on a man-in-the-middle interfering, causing the protocol to be downgraded. After that, attackers perform record-splitting, which means they interfere with the traffic between client and server. They inject data blocks that manipulate cipher block boundaries into the session and observe the server’s response. Based on the response, they can slowly guess the contents of the blocks of ciphertext that are exchanged between the server and the client without knowing the encryption key.
SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) is an attack that targets the signature and hash algorithms, downgrading them to a weaker version. This allows attackers to capture traffic and decrypt it fairly easily.
This attack can be launched against a client and a server independently or together. Like other attacks described above, it also relies on a man-in-the-middle for both the downgrade and the subsequent interference in the traffic.
Downgrade attack prevention
To prevent a downgrade attack, you must address its attack vector. If the vulnerability is due to support for export-grade ciphers, then the appropriate measure is to stop supporting such ciphers. If, on the other hand, the vulnerability is associated with support for previous versions of TLS or SSL, this needs to be addressed.
Implementing a secure and stable TLS configuration is one of the best measures you can take to address a host of causes that can lead to a downgrade attack. This includes providing support only to strong protocols such as TLS 1.2 and 1.3 (i.e., removing backward compatibility) and solid ciphers with no known downgrade vulnerabilities.
Enabling the TLS_FALLBACK_SCSV signal as part of your TLS configuration is another good step in preventing downgrade attacks. Suppose you do decide to support lower protocol versions. In that case, this will prevent your server from downgrading its protocol if the client can meet it at a higher version but is advertising a lower one (possibly due to man-in-the-middle interference).
What is a downgrade attack?
A downgrade attack is a scenario in which a malicious actor attempts to force a server or client to use a lower version of a cryptographic protocol (such as TLS or SSL), a cipher suite (such as an export-grade cipher, instead of a standard one), or a connection type (HTTP, instead of HTTPS).
How do downgrade attacks function?
A typical scenario is for attackers to position themselves as a man-in-the-middle (MITM) and interfere with traffic between clients and servers. They can attempt to cause a server or client to downgrade the version of a protocol or cipher. Once the downgrade is successful, they will exploit the vulnerabilities associated with the lower version.
How to protect against downgrade attacks?
Removing backward compatibility and implementing a secure and strong TLS configuration is one of the best steps you can take to protect against downgrade attacks. Implementing TLS_FALLBACK_SCSV is also very useful if you decide to support older protocol versions.
What version of SSL does the POODLE attack downgrade clients to?
The POODLE attack attempts to downgrade servers and clients specifically to SSL 3.0, although newer versions of the attack can also be launched against CBC in TLS 1.0 – 1.2.