The POODLE
Google researchers announced that it has discovered a vulnerability (referred to as POODLE) in SSL version 3.0. Bodo Möller of the Google Security Team found the issue along with fellow Googlers Thai Duong and Krzysztof Kotowicz. Makers of web browsers, including Google, are working on a fix.
The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.
In other words, your data is no longer encrypted. Google researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz recommend disabling SSL 3.0 on servers and in clients. The server and client will default to the more secure TSL and the exploit won’t be possible.
TLS_FALLBACK_SCSV And Chromium Patcha
For end users, if your browser supports it, disable SSL 3.0 support or better yet use tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value), it prevents downgrade attacks. Google says that it will begin testing Chrome changes that disable using SSL 3.0 fallback and it will remove SSL 3.0 support completely from all its products in the coming months. In fact, there’s already a Chromium patch available that disables SSL 3.0 fallback.
Mozilla's Plan
In response to today’s news, Mozilla plans to turn off SSL 3.0 in Firefox. “SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25,” said Mozilla in a post. The code to disable the protocol will be available tonight via Nightly.
SSL Version Control
Anyone interested in disabling SSL 3.0 right now can do so with the SSL Version Control add on for Firefox.
Introduced in 1996, SSL protocol is supposed to allow for communication without fear of eavesdropping because the information being shared is encrypted. When a client (browser, apps etc,) pings a server they engage in a security handshake that creates keys to encrypt and decrypt information sent back and forth.
Microsoft had this to say:
Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Post a Comment