A downgrade attack is a type of man-in-the-middle (MITM) attack in which a bad actor can trick a system into using an outdated version of an internet protocol — or use another encryption method. The goal is to weaken the system and make intrusion or data theft easier as packets (or datagrams) traverse the network.
Downgrade attacks work due to the backwards compatibility of many internet protocols and encryption methods in use. While this enables network communication for a larger number of applications and APIs, effectively powering the web, backwards compatibility introduces notable data security risks.
As a result, the impacts of these attacks can vary widely. It all depends on where the attacker inserts themselves, what application data is being transmitted, and the overall scope of the attack.
How do downgrade attacks work?
Downgrade attacks occur in unique ways depending on the internet protocol or encryption algorithms used. For example, an attacker might force applications to abandon HTTPS and use unsecured HTTP connections, thus leaving them unprotected.
Similarly, a successful attacker may manage to enforce the use of TLS 1.2 instead of TLS 1.3 — sidestepping critical security enhancements that patched known (and often exploited) vulnerabilities in prior versions. TLS 1.3 specifically removed support for older cryptographic methods such as SHA-1, RSA key exchange, the RC4 cipher, and others that may be easier for an attacker to exploit.
So, what data is typically at risk? Downgrade attacks cast a wide net of impacts, ranging from personally identifiable information (PII) theft to loss of confidential business intelligence. These attacks can therefore have expensive consequences and undermine individual privacy without users even knowing it.
There are many common types of downgrade attacks:
FREAK (Factoring RSA Export Keys) – Forces clients to use weaker encryption by leveraging known vulnerabilities in the algorithm
POODLE (Padding Oracle on Downgraded Legacy Encryption) – Forces browsers to downgrade to either TLS or some version of SSL when TLS isn't supported
Logjam – Flaws in RSA and the TLS protocol are used to hijack the message a server uses for key exchange, then replace it with a weaker variant.
SLOTH (Security Losses From Obsolete and Truncated Transcript Hashes) – A man in the middle forces web browsers to rely on older, weaker hashing algorithms.
BEAST (Browser Exploit Against SSL/TLS) – Hackers can decrypt HTTPS client-server sessions and obtain authentication tokens in outdated SSL/TLS products, combining an MITM attack with a boundary attack.
It's challenging to fully summarize the impacts of a downgrade attack, since the methods used and susceptible data vary so widely. However, unauthorized (unintended) system access remains a big concern depending on how much mobility the attacker has within. It's generally believed that the greater the downgrade and older the protocol, the more vulnerable a system is.
Does HAProxy help mitigate downgrade attacks?
Yes! HAProxy load balancing products support HTTP Strict Transport Security (HSTS) to prevent HTTPS downgrades. We also support the latest TLS version while restricting older protocols (such as TLS 1.2) and insecure ciphers. This helps users avoid outdated technologies most susceptible to downgrade attacks.
We also recommend only using strong ciphers to help protect your traffic. You can even dictate how HAProxy refuses or accepts connections that use specific protocol versions, using access control list (ACL) expressions.
To learn more about downgrade attack protection in HAProxy, check out our HAProxy & HTTP Strict Transport Security (HSTS) blog post or our introduction to ACLs documentation.
