{
	"id": "7e16ffe8-fbe1-4d92-b1f0-b85e29d21aba",
	"created_at": "2026-04-06T02:12:26.560157Z",
	"updated_at": "2026-04-10T13:13:04.422047Z",
	"deleted_at": null,
	"sha1_hash": "0416416e64cb540e1a175780b1a94a89f59874be",
	"title": "What is a Downgrade Attack? | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45275,
	"plain_text": "What is a Downgrade Attack? | CrowdStrike\r\nArchived: 2026-04-06 01:54:41 UTC\r\nMaintaining good cybersecurity means protecting against multiple kinds of attack. One of these attack types is\r\ncalled a “downgrade attack.” This form of cryptographic attack is also called a “version rollback attack” or a\r\n“bidding-down attack.” In a downgrade attack, an attacker forces the target system to switch to a low-quality, less\r\nsecure mode of operation.\r\nDowngrade attacks can take a variety of forms. We’ll talk here about the most common forms of downgrade\r\nattack: the form these attacks can take, what functions they serve and how they work. Thankfully, downgrade\r\nattacks are well known and well documented at this point, so you don’t have to break new ground in order to\r\nprotect your company against them.\r\nWhat Are Downgrade Attacks?\r\nThe world of cybersecurity is vast and varied, but not all cyberattacks employ the latest techniques and exploits.\r\nDowngrade attacks take advantage of a system’s backward compatibility to force it into less secure modes of\r\noperation. Because they can use encrypted or unencrypted connections, systems such as STARTTLS that employ\r\nopportunistic encryption are at the greatest risk from downgrade attacks.\r\nIn an HTTPS downgrade attack, visitors to your website may be forced to use HTTP connections instead of\r\nHTTPS. A downgrade attack can be a small part of a larger malicious operation, as was the case in 2015 when the\r\nLogjam attack was developed. A TLS downgrade attack such as Logjam allows man-in-the-middle attackers to\r\ndowngrade transport layer security (TLS) connections to 512-bit cryptography, letting the attackers read all data\r\npassed over this insecure connection. We’ll explain more about Logjam and other types of downgrade attack in the\r\nnext section.\r\nIn general, any system that employs any form of backward compatibility can be susceptible to a downgrade attack.\r\nThe balance between maximum utility and maximum security is a difficult one to strike: however tempting it may\r\nbe to enforce your visitors to keep their systems updated, you want people to be able to access your server using\r\nolder technology.\r\nTypes of Downgrade Attacks\r\nDowngrade attacks can take many forms, but they all have a few elements in common. Most of them are man-in-the-middle attacks (also called MITM attacks). In these attacks, malicious actors place themselves between your\r\nusers and your network.\r\nA few of the best-known downgrade attacks include:\r\nPOODLE: The Padding Oracle on Downgraded Legacy Encryption attack inserts itself into\r\ncommunications sessions, forcing certain web browsers to downgrade to Secure Sockets Layer (SSL) 3.0\r\nhttps://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/\r\nPage 1 of 3\n\nwhen TLS is unavailable.\r\nFREAK: Similar to POODLE, the Factoring RSA Export Keys vulnerability forces clients to use weak\r\nencryption, gaining access to data traffic that can then be easily decrypted.\r\nLogjam: A Logjam exploit combines vulnerabilities in RSA with a flaw in the TLS protocol. In Logjam\r\ndowngrade attacks, the message a server sends for key exchange is replaced with a weaker variant.\r\nBEAST: The Browser Exploit Against SSL/TLS protocol uses cipher block chaining mode encryption,\r\ncombining a MITM attack with a chosen boundary attack and record splitting. This attack can let attackers\r\ndecrypt HTTPS client-server sessions and even get authentication tokens in older SSL and TLS products.\r\nSLOTH: Also known as Security Losses from Obsolete and Truncated Transcript Hashes, SLOTH attacks\r\nallow a man in the middle to force web browsers to rely on old, weak hashing algorithms.\r\nRisks of Downgrade Attacks\r\nBecause the spectrum of downgrade attacks is so wide, it can be difficult to quantify their risks. A downgrade\r\nattack that uses a lower simple mail transfer protocol version may cause a vastly different level of damage than\r\none that employs a cryptographic attack. In all cases, however, being vulnerable to a downgrade attack also makes\r\nyour server more vulnerable to a larger series of cyberattacks.\r\nThink of a downgrade attack as a lockpick: while using one on someone else’s system is a crime in its own right,\r\nits real danger is what an attacker can do with the access they gain. A downgrade attack can leave all your\r\ncompany’s data vulnerable, from your user account credentials and payment information to your personal medical\r\ndata.\r\nWith every potential downgrade attack, consider what information is at the greatest risk. A system that forces a\r\ndowngrade from Kerberos to NTLM, for instance, is vulnerable to many types of brute force and “pass the hash”\r\nattacks. Ask yourself what information hackers may gain access to and lock down the avenues of access to this\r\ninformation.\r\nThe older the protocols are that you support, the more effective a downgrade attack can be. In an ideal world,\r\nnobody would have to support older versions of TLS, for instance. In practice, however, many networks still have\r\nto support these versions. Firms can minimize their level of risk by only allowing backward compatibility in\r\nspecific situations and by enforcing compliance with specific, modern versions of TLS whenever possible.\r\nHow to Protect Against Downgrade Attacks\r\nThe most secure accounts and servers are the ones that account for downgrade attacks and proactively protect\r\nagainst them. Prevention is worth more than a cure in this case: keep your TLS configuration as up to date as\r\npossible and remove unnecessary backward compatibility. If you do have to support older versions of the protocol,\r\nyou should always implement TLS_FALLBACK_SCSV as a protective measure.\r\nTLS 1.3 includes proactive downgrade protection mechanisms, ensuring that all participants in a “handshake” are\r\nusing the most upgraded security protocols even if there is a man in the middle monitoring the transmissions.\r\nMore best practices for preventing downgrade attacks include the following:\r\nhttps://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/\r\nPage 2 of 3\n\nDo not use language that assures your users of a secure connection unless you require that connection to be\r\non a validated HTTPS session.\r\nPrioritize using web protocols such as HTTP/2 that use only TLS, without providing visitors the ability to\r\ndowngrade.\r\nAbove all, serve as much traffic as you can over TLS, even when that traffic isn’t sensitive. Implementing\r\nTLS as your default method of connection prevents the vast majority of downgrade attacks from taking\r\nhold, no matter what else you do.\r\nOnce you’ve implemented these best practices, you can focus on building infrastructure that detects and mitigates\r\nattempted downgrade attacks as they happen. Keep the version of TLS you use up to date, even when upgrading\r\nmeans putting in a lot of time and effort. Once you do that, you should easily be able to track less secure traffic on\r\nyour servers. In turn, this enables you to spot traffic changes and detect men in the middle before they can do\r\nextensive damage to your servers, your reputation and your company as a whole.\r\nCrowdStrike Cyberattack Prevention Solution\r\nDowngrade attacks may seem simple on their own. However, wily attackers can use them as a tool in a much\r\nlarger arsenal, making protecting against these attacks a critical element of any company’s cybersecurity\r\noperations. If you aren’t sure where to begin when it comes to preventing a downgrade attack, consult with a team\r\nof cybersecurity experts to discover what works well and what elements of your operations you can improve.\r\nCrowdStrike’s expert team proactively hunts, investigates and advises on activity in your environment to ensure\r\ncyber threats are not missed. To learn more about the CrowdStrike Falcon® platform, contact our organization to\r\nschedule a demo or enroll in a trial.\r\nSource: https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/\r\nhttps://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/"
	],
	"report_names": [
		"downgrade-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775441546,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0416416e64cb540e1a175780b1a94a89f59874be.pdf",
		"text": "https://archive.orkl.eu/0416416e64cb540e1a175780b1a94a89f59874be.txt",
		"img": "https://archive.orkl.eu/0416416e64cb540e1a175780b1a94a89f59874be.jpg"
	}
}