SSL/TLS Downgrade Attack
What is SSL/TLS Downgrade Attack?
SSL/TLS Downgrade AttackAn active man-in-the-middle attack that forces a client and server to negotiate a weaker protocol version, cipher, or key size to enable further compromise.
An SSL/TLS downgrade attack manipulates the ClientHello or ServerHello of the handshake so that endpoints settle on a vulnerable parameter set. Examples include POODLE (forcing SSL 3.0 to exploit its CBC padding), FREAK (negotiating RSA_EXPORT), Logjam (DHE_EXPORT 512-bit groups), and version downgrade dances that strip TLS 1.2 hints. Once weakened, the connection becomes vulnerable to known cryptanalysis or key recovery. Defenses include disabling legacy protocols (SSLv2/3, TLS 1.0/1.1) and weak ciphersuites, enforcing TLS 1.2/1.3, supporting the TLS_FALLBACK_SCSV signaling cipher, deploying HSTS, and TLS 1.3's handshake transcript binding which makes silent downgrades detectable.
● Examples
- 01
POODLE forcing browsers to fall back to SSL 3.0 to exploit padding weaknesses (CVE-2014-3566).
- 02
An attacker stripping TLS 1.3 ALPN and forcing a server to negotiate RSA_EXPORT (FREAK).
● Frequently asked questions
What is SSL/TLS Downgrade Attack?
An active man-in-the-middle attack that forces a client and server to negotiate a weaker protocol version, cipher, or key size to enable further compromise. It belongs to the Attacks & Threats category of cybersecurity.
What does SSL/TLS Downgrade Attack mean?
An active man-in-the-middle attack that forces a client and server to negotiate a weaker protocol version, cipher, or key size to enable further compromise.
How does SSL/TLS Downgrade Attack work?
An SSL/TLS downgrade attack manipulates the ClientHello or ServerHello of the handshake so that endpoints settle on a vulnerable parameter set. Examples include POODLE (forcing SSL 3.0 to exploit its CBC padding), FREAK (negotiating RSA_EXPORT), Logjam (DHE_EXPORT 512-bit groups), and version downgrade dances that strip TLS 1.2 hints. Once weakened, the connection becomes vulnerable to known cryptanalysis or key recovery. Defenses include disabling legacy protocols (SSLv2/3, TLS 1.0/1.1) and weak ciphersuites, enforcing TLS 1.2/1.3, supporting the TLS_FALLBACK_SCSV signaling cipher, deploying HSTS, and TLS 1.3's handshake transcript binding which makes silent downgrades detectable.
How do you defend against SSL/TLS Downgrade Attack?
Defences for SSL/TLS Downgrade Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SSL/TLS Downgrade Attack?
Common alternative names include: Protocol downgrade, Cipher downgrade.
● Related terms
- attacks№ 434
FREAK Attack
A 2015 TLS attack (CVE-2015-0204) that downgrades RSA key exchange to 512-bit export-grade keys and factors them to decrypt sessions.
- attacks№ 631
Logjam
A 2015 TLS attack that downgrades Diffie-Hellman key exchange to weak 512-bit export-grade primes and uses precomputation to break them.
- attacks№ 786
Padding Oracle Attack
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
● See also
- № 941ROBOT Attack