{"id":3810,"date":"2014-10-16T06:23:57","date_gmt":"2014-10-15T22:23:57","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3810"},"modified":"2015-09-09T19:36:44","modified_gmt":"2015-09-09T11:36:44","slug":"everything-need-know-poodle-sslv3-vulnerability","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2014\/10\/everything-need-know-poodle-sslv3-vulnerability\/","title":{"rendered":"Everything You Need To Know About POODLE SSLv3 Vulnerability"},"content":{"rendered":"<p>So yah, it&#8217;s been quite a year &#8211; not long after <a href=\"https:\/\/www.darknet.org.uk\/2014\/04\/heartbleed-bug-ssl-vulnerability-everything-need-know\/\">Heartbleed<\/a> and then <a href=\"https:\/\/www.darknet.org.uk\/2014\/09\/everything-need-know-shellshock-bug-bash\/\">Shellshock<\/a> we now have POODLE SSLv3 vulnerability.<\/p>\n<p>Yes, that&#8217;s right &#8211; POODLE. It is actually an acronym this time though, yay (<strong>P<\/strong>adding <strong>O<\/strong>racle <strong>O<\/strong>n <strong>D<\/strong>owngraded <strong>L<\/strong>egacy).<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/farm6.staticflickr.com\/5597\/15521739146_befd3e6c86.jpg\" alt=\"POODLE SSLv3 Vulnerability\" \/><\/p>\n<p>Is it a huge risk? Not really as it doesn&#8217;t allow any type of remote exploitation, it does however allow for SSLv3 Man-in-the-middle (MITM) attacks though &#8211; which is not good. It&#8217;s a fundamental design flaw in SSL\/TLS which authenticates before encrypting.<\/p>\n<blockquote><p>Researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections.<\/p>\n<p>Miscreants can exploit a weakness in the protocol&#8217;s design to grab victims&#8217; secret session cookies. These can be used to log into online accounts, such as webmail, social networks, and so on. The attack is, we&#8217;re told, easy to perform, and can be done on-the-fly using JavaScript \u2013 provided you can intercept the victim&#8217;s packets, perhaps by setting up a malicious Wi-Fi point in a cafe or bar.<\/p>\n<p>SSL is supposed to encrypt your communications, such as your connection to your bank&#8217;s website, so eavesdroppers can&#8217;t steal or tamper with your sensitive information while it&#8217;s in transit. Google revealed details of the design flaw on Tuesday, and dubbed it POODLE \u2013 short for Padding Oracle On Downgraded Legacy Encryption. It is a blunder within the blueprints of SSL 3.0 rather than a software bug, so it affects any product following the protocol \u2013 from Google Chrome and Mozilla Firefox to Microsoft Internet Explorer.<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>To fix it in nginx use the following options:<\/p>\n<pre>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<\/pre>\n<p>For Apache:<\/p>\n<pre>SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2<\/pre>\n<p>Basically, disable SSLv3.<\/p>\n<p>Stats on SSLv3 usage can be found here &#8211; <a href=\"https:\/\/zmap.io\/sslv3\/\">POODLE Attack and SSLv3 Support Measurement<\/a><\/p>\n<p>CloudFlare also noted only 0.65 percent of the HTTPS encrypted traffic on CloudFlare\u2019s network uses SSL 3. (which is a good sign) and shows this should not have a massively wide spread effect.<\/p>\n<blockquote><p>Google security bod Bodo M\u00f6ller explains that snoopers can trigger network faults to push web browsers into using SSL 3.0, an 18-year-old protocol that should have been binned long ago. Ideally, the browser should be using the superior encryption protocol TLS, which does not suffer from the POODLE shortcoming.<\/p>\n<p>&#8220;Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue,&#8221; M\u00f6ller said. One simple solution is to stop using SSL 3.0 and instead use TLS only. This applies to web browsers and websites.<\/p>\n<p>Google&#8217;s response to the flaw is to scrub SSL 3.0 support from its flagship Chrome browser. Websites and other browsers are also expected to end support for SSL v3 as it&#8217;s now considered insecure by design, and instead enforce the use of TLS for HTTPS connections. Google also recommends browsers and web servers use TLS_FALLBACK_SCSV, the Transport Layer Security Signalling Cipher Suite Value that blocks protocol downgrades.<\/p>\n<p>Doing so will be more effective than simply killing off SSL 3.0 support: that&#8217;s because using this magic value should prevent all future downgrade attacks. Chrome and Google&#8217;s web servers already support TLS_FALLBACK_SCSV, we&#8217;re told.<\/p>\n<p>Websites that end support for SSL v3 will become incompatible with older browsers and OSes \u2013 particularly Internet Explorer 6 and Windows XP. The POODLE vulnerability could well be the final nail in the coffin for machines stuck on IE6 and XP once major websites stop supporting the legacy insecure protocol.<\/p><\/blockquote>\n<p>Firefox has already pushed out an update of their browser with SSLv3 disabled, but only for the nightly build. It will hit the public on November 25th when Firefox 34 is released, their notes are here &#8211; <a href=\"https:\/\/blog.mozilla.org\/security\/2014\/10\/14\/the-poodle-attack-and-the-end-of-ssl-3-0\/\">The POODLE Attack and the End of SSL 3.0<\/a>.<\/p>\n<p>There&#8217;s a good technical analysis of the flaw here: <a href=\"https:\/\/www.imperialviolet.org\/2014\/10\/14\/poodle.html\">POODLE attacks on SSLv3<\/a><\/p>\n<p>The full paper is here: <a href=\"https:\/\/www.openssl.org\/~bodo\/ssl-poodle.pdf\">This POODLE Bites: Exploiting The SSL 3.0 Fallback<\/a> [PDF]<\/p>\n<p>If you want to check your servers I suggest using this SSL diagnostic tool which will show you what protocols your setup supports:<\/p>\n<p><a href=\"https:\/\/www.digicert.com\/help\/\">DigiCert\u00ae SSL Installation Diagnostics Tool<\/a><\/p>\n<p>It will also point out if you&#8217;re using SSLv3.0 and mark you as insecure if you are. A secure setup should return the following:<\/p>\n<blockquote><p>\nProtocol Support<\/p>\n<p>TLS 1.2, TLS 1.1, TLS 1.0<\/p><\/blockquote>\n<p>Source: <a href=\"http:\/\/www.theregister.co.uk\/2014\/10\/14\/google_drops_ssl_30_poodle_vulnerability\/\">The Register<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So yah, it&#8217;s been quite a year &#8211; not long after Heartbleed and then Shellshock we now have POODLE SSLv3 vulnerability. Yes, that&#8217;s right &#8211; POODLE. It is actually an acronym this time though, yay (Padding Oracle On Downgraded Legacy). Is it a huge risk? Not really as it doesn&#8217;t allow any type of remote [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"After Heartbleed and Shellshock we now have the POODLE SSLv3 Vulnerability causing havoc on the Internet, get the low-down here & what to do.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[26,10,5],"tags":[4760,4280,4587],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3810"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3810"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3810\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}