POODLE - Bye Bye SSL 3.0

Rucking_Fetard

Another pillar of online security falls.

Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).

SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.

In the coming months, we hope to remove support for SSL 3.0 completely from our client products.

Thank you to all the people who helped review and discuss responses to this issue.

Lots more info.

fcerullo

Disabling SSL3.0 is not always possible (e.g. routers) but for websites and servers that support TLS 1.x it is highly recommend to enforce those protocols.

fcerullo

Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

In Firefox you can go into about:config and set security.tls.version.min to 1.

I expect that other browser vendors will publish similar instructions over the coming days.

fcerullo

Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. In Firefox you can go into about:config and set security.tls.version.min to 1.

I expect that other browser vendors will publish similar instructions over the coming days.

fcerullo

Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. In Firefox you can go into about:config and set security.tls.version.min to 1.

I expect that other browser vendors will publish similar instructions over the coming days.

You want to test your browser for this vulnerability?

Check this out: www poodletest dot com

Fabio
@fcerullo

syklops

fcerullo wrote: »

Disabling SSL3.0 is not always possible (e.g. routers) but for websites and servers that support TLS 1.x it is highly recommend to enforce those protocols.

Correct me if Im wrong. If I have a slew of devices such as routers, web servers etc, I'm not actually vulnerable to poodle, I should just disable support for SSLv3 because its the nice thing to do, right?

goose06

Just checked www.poodletest.com on my phone, HTC One.
Chrome is not vulnerable but the built in browser is, you'd have thought they'd have shared the info internally to get a fix in place.

fcerullo

hi skylops... if your devices are using SSL3.0, then you are vulnerable to POODLE.

fcerullo

Goose, that's interesting.. what is the default browser on the HTC One?

goose06

fcerullo wrote: »

Goose, that's interesting.. what is the default browser on the HTC One?

Thinking about it it's actually the stock HTC browser and not anything to do with google, my mistake

Professey Chin

goose06 wrote: »

Thinking about it it's actually the stock HTC browser and not anything to do with google, my mistake

Think that's still based on the AOSP Browser that's been pretty much ignored since chrome became default

Blowfish

fcerullo wrote: »

hi skylops... if your devices are using SSL3.0, then you are vulnerable to POODLE.

He's not vulnerable, it's clients using SSL 3 that are, hence asking about disabling it as being the nice thing to do.

Professey Chin

Blowfish wrote: »

He's not vulnerable, it's clients using SSL 3 that are, hence asking about disabling it as being the nice thing to do.

But if the device is still compatible then a malicious client can force the protocol to downgrade and use SSL 3.

syklops

fcerullo wrote: »

hi skylops... if your devices are using SSL3.0, then you are vulnerable to POODLE.

Are you sure about that? Rob Graham from Errata Security says:

Heartbleed and Shellshock allowed hacks against servers (meaning websites and such). POODLE allows hacking clients (your webbrowser and such). If Hearbleed/Shellshock merited a 10, then this attack is only around a 5.

http://blog.erratasec.com/2014/10/some-poodle-notes.html#.VD5SDESqthE

He goes on to say:

“This attack is really against clients—you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no one man-in-the-middling you except the NSA. So as a home user, you don’t need to panic. As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi.”

ProfesseyChin wrote:

But if the device is still compatible then a malicious client can force the protocol to downgrade and use SSL 3.

I understand that, but what/how is my server vulnerable?

fcerullo

Say you have a web server that supports SSL3.0 & TLS 1.x and you install an SSL certificate on it.

Any client that connects with IE6 for example will be downgraded to SSL3.0 to perform the SSL handshake.

Any client that connects with latest browsers will negotiate the SSL handshake using TLS 1.x.

However, the POODLE attack will attempt to downgrade the latest browsers to SSL3.0.

And when that happens, anyone on the same network will be able to sniff your traffic.

So, although this problem affect ultimately clients, it is originated on the servers.

If you disable SSL3.0 on the servers, no client will be able to use that protocol.

I wrote an article on what you could do as an end-user and sys admin here:

www dot cycubix dot com /?p=132

Your comments are welcome.

Fabio

syklops

Say you have a web server that supports SSL3.0 & TLS 1.x and you install an SSL certificate on it.

Any client that connects with IE6 for example will be downgraded to SSL3.0 to perform the SSL handshake.

Any client that connects with latest browsers will negotiate the SSL handshake using TLS 1.x.

However, the POODLE attack will attempt to downgrade the latest browsers to SSL3.0.

And when that happens, anyone on the same network will be able to sniff your traffic.

So, although this problem affect ultimately clients, it is originated on the servers.

I get that it originates on the servers and so, the nice thing to do would be disable ssl3, but I don't care about anyone else, I just care about my webservers. Is there any effect to them by not disabling SSLv3?

fcerullo

There is a risk for your users when visiting your webservers to disclose their credentials on a public network.

Fabio

syklops

fcerullo wrote: »

There is a risk for your users when visiting your webservers to disclose their credentials on a public network.

Fabio

Thats what I was getting at. If I solely care about my infrastructure, and not the users, I can take several things off my to-do list by not removing SSLv3 support.

This is a theoretical scenario as I personally manage only a couple of servers all with SSH and nothing else. Its just I had a to shout down a security advisory earlier today saying "Patch your critical hardware now before the sky falls!".