SSL broken, again, in POODLE attack

Yet another flaw could prove to be the final nail in SSLv3's coffin.

Read the whole story

 

[issor]

I actually got an email from Digicert a few hours ago (my certificate provider), warning me about this:

The POODLE vulnerability does not affect your SSL Certificates and you do NOT need to reissue/reinstall your SSL Certificates.

DigiCert and other security experts recommend disabling SSL 3.0 or CBC-mode ciphers with SSL 3.0 to protect against this vulnerability.

Nice to see they are on top of things and notifying us. I normally have to read about them first on sites like Ars.

 

[Deleted member 192806]

MyPasswordIs12345678[/url]":1z9s0dbo]It's always nice to read that the one secure thing I've always trusted for online purchases is breachable. Hackers are always hacking and getting access to everyone's credit card numbers but they don't ever seem to use this information on a wide scale. I've actually grown apathetic to these reports because, while unnerving to contemplate, nothing big ever happens. I think the odds of my card getting used for identity fraud is very very low, like .001% chance. I think this holds true for everyone too. It happens, but if it happens to you, you have very bad luck.

The trick is to NOT BE UNIQUE! Jane and John Does unite!

 

[issor]

Ars missed their opportunity to bring out their photos of cool attack poodles.

 

[Torchwood]

I'm sure that there are some businesses and people who, deep in their belief that "if it ain't (physically) broke, why replace it" and "the money is better spent on executive pay instead of IT improvements", still insist on using XP and Internet Exploder 6 instead of using something from THIS decade, and will scream bloody murder if SSLv3 is turned off.

 

[anonArs]

MyPasswordIs12345678[/url]":3v755jd1]It's always nice to read that the one secure thing I've always trusted for online purchases is breachable. Hackers are always hacking and getting access to everyone's credit card numbers but they don't ever seem to use this information on a wide scale. I've actually grown apathetic to these reports because, while unnerving to contemplate, nothing big ever happens. I think the odds of my card getting used for identity fraud is very very low, like .001% chance. I think this holds true for everyone too. It happens, but if it happens to you, you have very bad luck.

Are you sure you are even using SSLv3?

Every https site I've checked so far is using TLS

 

[MilleniX]

anonArs[/url]":h34282se]

MyPasswordIs12345678[/url]":h34282se]It's always nice to read that the one secure thing I've always trusted for online purchases is breachable. Hackers are always hacking and getting access to everyone's credit card numbers but they don't ever seem to use this information on a wide scale. I've actually grown apathetic to these reports because, while unnerving to contemplate, nothing big ever happens. I think the odds of my card getting used for identity fraud is very very low, like .001% chance. I think this holds true for everyone too. It happens, but if it happens to you, you have very bad luck.

Are you sure you are even using SSLv3?

Every https site I've checked so far is using TLS

They might well be under normal circumstances, but are you vulnerable to downgrade attacks? What's to stop someone who can MITM you from offering only SSLv3 if both ends will accept that?

 

[DrPizza]

anonArs[/url]":2ihj8qt2]

MyPasswordIs12345678[/url]":2ihj8qt2]It's always nice to read that the one secure thing I've always trusted for online purchases is breachable. Hackers are always hacking and getting access to everyone's credit card numbers but they don't ever seem to use this information on a wide scale. I've actually grown apathetic to these reports because, while unnerving to contemplate, nothing big ever happens. I think the odds of my card getting used for identity fraud is very very low, like .001% chance. I think this holds true for everyone too. It happens, but if it happens to you, you have very bad luck.

Are you sure you are even using SSLv3?

Every https site I've checked so far is using TLS

Unless it's forcibly disabled at at least one end, downgrade attacks are possible.

 

[ChrisSD]

I'm glad it's a simple fix for users of modern web browsers. For Firefox you just install the addon, nothing simpler. Unfortunately most users won't know to do this (presumably) and so will be vulnerable until November, assuming they do upgrade then.

 

[slowbuffer]

Why not just ban Mallory from the internet?

 

[cozminsky]

ChrisSD[/url]"kvpbhjf]I'm glad it's a simple fix for users of modern web browsers. For Firefox you just install the addon, nothing simpler. Unfortunately most users won't know to do this (presumably) and so will be vulnerable until November, assuming they do upgrade then.

No need for an addon. You can also go to about:config and edit the key security.tls.version.min. The description of what value to put in can be found at http://kb.mozillazine.org/Security.tls. ... ir_effects

 

[afidel]

So I've got another thing to hand of to my team while I'm out of town this week =)
Luckily I think we can just change the GPO for the IT testing computers and if nothing breaks for a few days roll it out to the whole company, I'll have to check if the GPO enabled version of Firefox we use has an option for disabling SSLv3, it's really only used for one internal app, but it's better to be thorough.

 

[gpriatko]

There's a very high chance that in the very near future, the majority of websites you visit are going to refuse SSLv3.

Akamai is disabling SSLv3, TLS1.0, and TLS1.1 on their network as I type this.

Some major websites have already disabled SSLv3 on their own (i.e. not waiting for the CDNs to do it).

Akamai carries 30%-40% of the web traffic (globally). Their 'About' page says 30% but they were saying 40% at the conference last week.

FWIW, White Hats are reporting live exploits. They're using the word 'trivial'. It takes less than 60 seconds of traffic to bust a session.

 

[slowbuffer]

cozminsky[/url]":1nir7wxt]

ChrisSD[/url]":1nir7wxt]I'm glad it's a simple fix for users of modern web browsers. For Firefox you just install the addon, nothing simpler. Unfortunately most users won't know to do this (presumably) and so will be vulnerable until November, assuming they do upgrade then.

No need for an addon. You can also go to about:config and edit the key security.tls.version.min. The description of what value to put in can be found at http://kb.mozillazine.org/Security.tls. ... ir_effects

Thanks for posting this. What would a failure look like?

 

[gpriatko]

> Every https site I've checked so far is using TLS

Which TLS?

SSLv3 and TLS1.0 are equally at risk.

TLS1.1 isn't a pretty sight.

TLS1.2 is where we need to be.

Major sites have already converted in the last few hours.

Akamai was going to block SSLv3, TLS1.0, and TLS1.1 next week. They've moved that up to 'right now'. Going to be some long bridge calls tonight ;-)

 

[Rosyna]

slowbuffer[/url]":2r0ovidb]Why not just ban Mallory from the internet?

according to the UN, internet access is a fundamental human right.

No matter what Mallory does to Bob or Alice.

 

[Dasgooch]

gpriatko[/url]":1169rxbc]> Every https site I've checked so far is using TLS

Which TLS?

SSLv3 and TLS1.0 are equally at risk.

TLS1.1 isn't a pretty sight.

TLS1.2 is where we need to be.

Major sites have already converted in the last few hours.

Akamai was going to block SSLv3, TLS1.0, and TLS1.1 next week. They've moved that up to 'right now'. Going to be some long bridge calls tonight ;-)

I am not sure where you are getting your information from but they are only blocking SSLv3 currently. From my Akamai account notification:

"Please ensure that your origin server can handle TLSv1 or higher for the SSL transactions."

Akamai will disable SSLv3 to origin by default but they will enable with a call to their support. Right now this attack is only affecting SSLv3 and not TLS. TLS1 and TLS1.1 have their own problems but are not susceptible to this.

 

[ChrisSD]

cozminsky[/url]":2v8y9w1f]

ChrisSD[/url]":2v8y9w1f]I'm glad it's a simple fix for users of modern web browsers. For Firefox you just install the addon, nothing simpler. Unfortunately most users won't know to do this (presumably) and so will be vulnerable until November, assuming they do upgrade then.

No need for an addon. You can also go to about:config and edit the key security.tls.version.min. The description of what value to put in can be found at http://kb.mozillazine.org/Security.tls. ... ir_effects

Thanks. Unlike the add-on, that setting works on android too. There does not appear to be a way to secure Chrome on Android, so I'll guess I'll stick with Firefox there to.

Hopefully websites will quickly make this a non issue by disabling SSL3 but for the time being I think I'll be extra cautious.

 

[CaptainTightpants]

According to the page the article referenced (containing instructions on patching IE and Chrome), they tested the top 1MM Alexa sites and listed those not supporting anything better than SSL3 (said list appears below the instructions). Makes for interesting reading with citibank.com right at the top (although it seems not to be the case any longer having just tried it myself under Firefox limited to TLS1.2). Can't imagine Citi will be happy.


EDIT: Looks like there are a LOT of Citi domains there. Watch out you Citi-folk.

EDIT 2: According to another post below this may not be a problem, but I'd still be cautious if you use any "citi" domain variations.

 

[Stinkoman]

Anyone know how to disable SSLv3 in Opera? It doesn't seem to support Chrome's --ssl-version-min option.

 

[Chilango]

Rosyna[/url]"gisgh55]

slowbuffer[/url]"gisgh55]Why not just ban Mallory from the internet?

according to the UN, internet access is a fundamental human right.

No matter what Mallory does to Bob or Alice.

Mallory is why we can't have nice things

 

[lamawithonel]

I heard the rumblings about this earlier today and disabled SSLv3 in my browser, but already I've had to re-enable it to book a room with a major hotel chain. It's appalling, really. In this day and age I think browsers aught to throw up a loud warning for sites preferring ciphers older than TLSv1.1-- one version behind current. Nothing gets a manager's attention like the prospective loss of business.

Speaking of this, ZMap, an open source Internet scanning project out of the University of Michigan, did a scan of the top 1 million Alexa-ranked sites. Their findings show a surprising number only use SSLv3. Chief among them: Citi, the financial services company. Here's the link.

 

[immanuel_aj]

ChrisSD[/url]":2bpdvm1i]

cozminsky[/url]":2bpdvm1i]

ChrisSD[/url]":2bpdvm1i]I'm glad it's a simple fix for users of modern web browsers. For Firefox you just install the addon, nothing simpler. Unfortunately most users won't know to do this (presumably) and so will be vulnerable until November, assuming they do upgrade then.

No need for an addon. You can also go to about:config and edit the key security.tls.version.min. The description of what value to put in can be found at http://kb.mozillazine.org/Security.tls. ... ir_effects

Thanks. Unlike the add-on, that setting works on android too. There does not appear to be a way to secure Chrome on Android, so I'll guess I'll stick with Firefox there to.

Hopefully websites will quickly make this a non issue by disabling SSL3 but for the time being I think I'll be extra cautious.

Thanks for that! I was wondering what to do with Chrome on my phone. Time to switch to Firefox.

 

[anonArs]

MilleniX[/url]"3rqqxgd]

anonArs[/url]"3rqqxgd]

MyPasswordIs12345678[/url]"3rqqxgd]It's always nice to read that the one secure thing I've always trusted for online purchases is breachable. Hackers are always hacking and getting access to everyone's credit card numbers but they don't ever seem to use this information on a wide scale. I've actually grown apathetic to these reports because, while unnerving to contemplate, nothing big ever happens. I think the odds of my card getting used for identity fraud is very very low, like .001% chance. I think this holds true for everyone too. It happens, but if it happens to you, you have very bad luck.

Are you sure you are even using SSLv3?

Every https site I've checked so far is using TLS

They might well be under normal circumstances, but are you vulnerable to downgrade attacks? What's to stop someone who can MITM you from offering only SSLv3 if both ends will accept that?

If someone is MITM'ing your connection to begin with, wouldn't the issue of using SSLv3 almost become moot then?

 

[dadrian]

CaptainTightpants[/url]":29tutcev]According to the page the article referenced (containing instructions on patching IE and Chrome), they tested the top 1MM Alexa sites and listed those not supporting anything better than SSL3 (said list appears below the instructions). Makes for interesting reading with citibank.com right at the top (although it seems not to be the case any longer having just tried it myself under Firefox limited to TLS1.2). Can't imagine Citi will be happy.


EDIT: Looks like there are a LOT of Citi domains there. Watch out you Citi-folk.

Author of the linked page here, citibank.com is on there because it hosts a URL Redirect to online.citibank.com. While online.citibank.com uses TLSv1.2, the citibank.com server only supports SSLv3.

 

[gimfred]

ChrisSD[/url]":35rmg466]

cozminsky[/url]":35rmg466]

ChrisSD[/url]":35rmg466]I'm glad it's a simple fix for users of modern web browsers. For Firefox you just install the addon, nothing simpler. Unfortunately most users won't know to do this (presumably) and so will be vulnerable until November, assuming they do upgrade then.

No need for an addon. You can also go to about:config and edit the key security.tls.version.min. The description of what value to put in can be found at http://kb.mozillazine.org/Security.tls. ... ir_effects

Thanks. Unlike the add-on, that setting works on android too. There does not appear to be a way to secure Chrome on Android, so I'll guess I'll stick with Firefox there to.

Hopefully websites will quickly make this a non issue by disabling SSL3 but for the time being I think I'll be extra cautious.

Thanks. As a side issue if people use the url http://about:config does it open to the correct page? (just thinking it might be a useful extension --- turn about:config into a url.

 

[ChrisSD]

Stinkoman[/url]":s6ew4zxc]Anyone know how to disable SSLv3 in Opera? It doesn't seem to support Chrome's --ssl-version-min option.

Have you tried digging through the advanced settings? There used to be an advanced security option for disabling protocols but I don't know if there's a similar option in newer versions.

 

[gpriatko]

>I am not sure where you are getting your information...

Long bridge call with Akamai.

The real time information from the humans is running ahead of what's being putting out on the portal.

Nothing unusual about that.


>Akamai will disable SSLv3 to origin by default but they will enable with a call to their support.

Edge to origin is half the question. A lot of people have been TLS only from edge to origin for a long time.

 

[The_Barbarian]

SeaMonkey (aka Mozilla Suite) has a nice option checkbox, no need for about:config or the like. I have had SSL v3 turned off for a while, think the only problem was stupid half-assed portal for the toll bridge

Maybe I'll try turning off TLS v1.0...

 

[ThermalNoise]

This is somewhat mitigated by the fact that a lot of sites switched to prefer RC4 over AES-CBC because it prevented the earlier BEAST attack. The POODLE attack will not work against RC4, though RC4 is old and broken in its own (somewhat less catastrophic) ways. Once again goes to show that a good implementation matters much more than a secure encryption primitive. (The more modern AES-CBC has fatal flaws that don't affect RC4, despite its age.)

The real fix is the AES-GCM authenticated-encryption mode, though it is becoming a single point of failure. We need new authenticated-encryption modes for diversity; hopefully NIST approves SHA-3/Keccak for authenticated encryption soon.

 

[Yuhong bao]

gpriatko[/url]":imf39o4m]> Every https site I've checked so far is using TLS

Which TLS?

SSLv3 and TLS1.0 are equally at risk.

Not to this attack.

 

[Yuhong bao]

If you absolutely have to use IE6, go to Internet Options's Advanced tab and check TLS 1.0 and while you are at it uncheck SSL 2.0. But of course the preferred solution is to upgrade and while you are it please also update to XP SP3 if you hasn't already. There is no WGA check in WinXP service pack in general, despite such misconceptions.

 

[cozminsky]

anonArs[/url]":m5bhp96q]

MilleniX[/url]":m5bhp96q]

anonArs[/url]":m5bhp96q]

MyPasswordIs12345678[/url]":m5bhp96q]It's always nice to read that the one secure thing I've always trusted for online purchases is breachable. Hackers are always hacking and getting access to everyone's credit card numbers but they don't ever seem to use this information on a wide scale. I've actually grown apathetic to these reports because, while unnerving to contemplate, nothing big ever happens. I think the odds of my card getting used for identity fraud is very very low, like .001% chance. I think this holds true for everyone too. It happens, but if it happens to you, you have very bad luck.

Are you sure you are even using SSLv3?

Every https site I've checked so far is using TLS

They might well be under normal circumstances, but are you vulnerable to downgrade attacks? What's to stop someone who can MITM you from offering only SSLv3 if both ends will accept that?

If someone is MITM'ing your connection to begin with, wouldn't the issue of using SSLv3 almost become moot then?

If they're able to MITM your connection the TLS connections should still be safe as if they were to terminate the TLS connection themselves they would need a certificate that was in your browser's trust store with the correct common name or subject alt name. This would require either compromising the host or tricking a CA into issuing an incorrect certificate.

 

[Xiao-zhi]

Yes, let's ban SSLv3 and be done with it already.

But ..... can we replace it with a FUNDED CONSORTIUM product and not keep blaming the 3 guys supporting the net in their spare time?

EDIT:

I know people are going to react to the above and down-rate so let me elaborate:

1. Although TLF is standardized by IETF, in practice TLF is forked all over the map and still, basically, cobbled together as a open sourced, part-timer project with many independent actors.

2. So what I'm suggesting by my obnoxious FUNDED CONSORTIUM is that major stakeholders kick dollars into a consortium with a full time staff to maintain a free and open-sourced but tested and published reference version of TLF just as is basically the case with shrink-wrapped Linux.

Crazy idea, I realize, but so is the carnival side show we have been watching for the past year at who knows what cost.

Just my two cents.

Don't take it personally.

Downrate if you must, but I think I have a point when I look at the 20+ forks of TLF, which is a ridiculous mess.

 

[The_Barbarian]

Xiao-zhi[/url]":l2x4fppj]Yes, let's ban SSLv3 and be done with it already.

But ..... can we replace it with a FUNDED CONSORTIUM product and not keep blaming the 3 guys supporting the net in their spare time?

EDIT:

I know people are going to react to the above and down-rate so let me elaborate:

1. Although TLF is standardized by IETF, in practice TLF is forked all over the map and still, basically, cobbled together as a open sourced, part-timer project with many independent actors.

2. So what I'm suggesting by my obnoxious FUNDED CONSORTIUM is that major stakeholders kick dollars into a consortium with a full time staff to maintain a free and open-sourced but tested and published reference version of TLF just as is basically the case with shrink-wrapped Linux.

Crazy idea, I realize, but so is the carnival side show we have been watching for the past year at who knows what cost.

Just my two cents.

Don't take it personally.

Downrate if you must, but I think I have a point when I look at the 20+ forks of TLF, which is a ridiculous mess.

You can't even spell it right, and you either don't understand what a fork is or you don't understand what a standard is (or both). I don't think you'll get many positive responses.

 

[The_Barbarian]

Hm, LWN does TLS 1.0 but no higher. Surprising

 

[DKlimax]

Killed SSL3. Lets see what breaks first... (At least IE put that into reachable area of options.)

 

[doubledeej]

Developers who take security seriously shouldn't be accepting session keys from any IP address other than the one to which it was originally issued. Yes, this potentially does mean additional login requests for users, but it also mitigates most potential attacks from an issue like this. And it really doesn't happen that often. Most users' IP addresses don't change unless they reboot their modems.

On the sites I develop, someone could get ahold of a session key from one of my sites' clients, but it wouldn't do a lot of good because the instant they try to use it from a different IP address or browser they get logged out. Making this type of attack have limited use against my company.

This technique doesn't cover every scenario, but it sure could be a difficult bar to pass. Someone would have to be on the same network and mimic the user agent string (as well as other browser attributes) to hack into one of my sites.

 

[PhilipStorry]

CaptainTightpants[/url]":1ov3tx5o]According to the page the article referenced (containing instructions on patching IE and Chrome), they tested the top 1MM Alexa sites and listed those not supporting anything better than SSL3 (said list appears below the instructions). Makes for interesting reading with citibank.com right at the top (although it seems not to be the case any longer having just tried it myself under Firefox limited to TLS1.2). Can't imagine Citi will be happy.


EDIT: Looks like there are a LOT of Citi domains there. Watch out you Citi-folk.

EDIT 2: According to another post below this may not be a problem, but I'd still be cautious if you use any "citi" domain variations.

I'm no security expert, but it seems to me that none of this should be particularly surprising for anyone who's been watching this kind of thing for long enough. It's public knowledge that SSL/TLS version support has been parlous on the internet for years... But it tends to get reported only dryly, in areas like the release notes for builds of web browsers.

That's certainly where I first came across it, back in 2006. I think I was first alerted by a blog post by Opera's devs - they'd put TLS 1.1 and TLS 1.1. extensions, and it broke lots of things due to bad server-side responses.
Took me a while to find the actual blog post - mostly due to My Opera closing down - I had to find another post that referred to it (https://dev.opera.com/blog/new-in-opera ... 2-support/) and then go to the Wayback Machine:
http://web.archive.org/web/200607141139 ... dml/319177

So, since at least 2006, web browser vendors have known that turning on better security breaks sites, and have resorted to nasty kludges and convoluted code - and code convolution itself can bring security issues, so often the answer was to disable by default...
The most likely causes on the server side are ancient & badly written enterprise software (no names mentioned, you can probably guess accurately enough) or badly configured/broken accelerator hardware or cache layers...

I'd kind of hoped that things have gotten better - maybe they have since 2006, it's difficult to know for sure - but this is an area where an article by a trusted source like Ars might at least help get the problem the visibility it deserves, in order to start shaming the cheapskates^Wnegligent into fixing their infrastructure.

tl;dr: Decent support for later versions of TLS is lacking, especially in larger enterprises. This is widely talked about, but nobody's ever kicked up a fuss because previously compatibility was more important than providing better security. That should change - but don't hold your breath.