Poodle – SSL Security Threat Explored

Poodle is a breed of dog with legs that resembles cotton candies. It is intelligent and a regular staple at dog shows. Even the most friendly dogs have the propensity to bite.

 Now we see all kinds of security alerts and snafus likes heartbleed and shell shock!!! The latest in addition is POODLE.

All of this started when a team in Google developed and tested an attack named POODLE (Padding Oracle On Downgraded Legacy Encryption) which uncovered vulnerability in  Secure Sockets Layer (SSL) version 3 protocol or in short SSLv3.

SSLv3 is an obsolete but still used encryption in both older and new web browsers. 

(It is an 18-year-old protocol which was replaced by the TLS protocol)
POODLE tries to force the connection between your web browser and the server to downgrade  to SSLv3. 

The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then uses this new vulnerability to decrypt select content within the SSL session. 

The decryption is done byte by byte and will generate  large number of connections between the client and server.

How do they do it?

An attacker can run a JavaScript agent on a website to get the victim’s browser to send cookie ­with HTTPS requests to https://xyz.com, intercept and modify the SSL records sent by the browser in such a way that there’s a non­-negligible chance that xyz.com will accept the modified record. 

If the modified record is accepted, the attacker can decrypt one byte of the cookies.

TLS 1.0 and newer versions perform more robust validation of the decrypted data and as such are not susceptible to the same problem. But for SSLv3 there’s no solution.

How bad is this and how does this affect you?

Secure connections primarily use TLS (the successor to SSL), most users become vulnerable because web browsers and servers will downgrade to SSLv3 if there are problems negotiating a TLS session. 

Most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience.

An attacker performing a man-in-the-middle attack could trigger a protocol downgrade to SSLv3 and exploit this vulnerability to decrypt a subset of the encrypted communication and extract information from it. 

The POODLE vulnerability only works if the browser of the client and the server’s connection are both supporting SSLv3.

How to test if my browser is vulnerable ?

Go to poodletest.com website to test this.  If you see a cute poodle, you are vulnerable. If you see a  Springfield Terrier, you are safe.
http://www.bolet.org/TestSSLServer/
http://code.google.com/p/sslaudit/

What can I do to prevent this? Poodle vaccine?

As a end user, disable SSLv3 support in your web browser. If it’s disabled, POODLE can NOT downgrade your browser to it. 

To encourage security best practices I would strongly recommend using the highest version of TLS . For most browsers this should be TLS 1.2.

Will this affect my browsing experience?

This will have an impact on some older browsers. Websites that has already ended support for SSLv3 will become incompatible with older browsers and operating systems.

Old browsers like Internet Explorer 6 running on Windows XP or older versions will see an SSL connection error.

SSL v3 will be disabled by default in future releases of many web browsers.

How to disable this at the server?

CloudFlare announced that it was disabling SSLv3 by default from its servers. So did many service providers.

If you are running Apache, just make this change in your configuration among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3
This disables SSL protocol versions 2 and 3.

How can developers prevent this?
.NET

Use the SecurityProtocol property to enable TLS.
For details on how to use the SecurityProtocol property, visit:
http://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.securityprotocol(v=vs.110).as…
http://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx
As an example, to force TLS 1.2 in a C# .NET implementation, you’d use:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

JAVA

NOTE: TLS 1.2 was first supported in JDK 7, and will be default in JDK 8: https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls

Use the SSLContext.getInstance method to enable TLS.
For details on how to use the SSLContext.getInstance method, visit:

http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html#getInstance(java.lang.String)
http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html#getInstance(java.lang.String,…
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
For example, to use the default security layer provider to enable TLS, you’d use:
object = SSLContext.getInstance(“TLS”);

To force TLS 1.2 while using Sun’s Java Secure Socket Extension (JSSE), you’d use:

object = SSLConnect.getInstance(“TLSv1.2″, “SunJSEE”);
cURL

Use the CURLOPT_SSLVERSION option to enable TLS.
For details on how to use the CURLOPT_SSLVERSION option, visit:
http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
As an example, to force cURL to use TLS 1.0 or later, you’d use:
C/C++/C#:
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
PHP:

curl_setopt($curl_request,CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
In cURL 7.34.0 or later, to force TLS 1.2, you’d use:
C/C++/C#:
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
PHP:
curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

As soon as the news was out, InstaCarma team geared up in full defence mode to plug all holes that were left open by this vulnerability. 

Security specialists started sweeping through all shared-hosting and dedicated servers, VPSs etc. We assisted our clients by educating their customers about the security implications.

Source : InstaCarma

Comments

Post a Comment

Popular posts from this blog

DevOps Basics You Should Know Before Adopting Services

Before you consider   D evOps service   for your organization to embrace this new approach, it is critical for you to develop at least a basic understanding of what all it takes for the holistic implementation of devOps for your organization. Just like agile, the adoption of devOps also involves embracing a set of practices that result from an organizational attitude, philosophy and culture. This is the reason why adopting devOps can be a bit misleading since the organizations are likely to undertake a few of the devOps related activities according to their understanding of it, and thereby, start believing that they have implemented it successfully – regardless of whether these activities define devOps or not. By this, we mean to say that more than being just a set of activities, devOps is a cultural change that an organization needs to make, for embracing it wholeheartedly. So, exactly what all does the devOps culture comprise of? To get there, we need to understand what m...
Read more

Quality 24/7 Outsourcing Technical Support

Image
The market is abound with web hosting service providers who claim to offer 24*7 outsourcing technical support for your web hosting business. Amidst the multiple technical support providers of seemingly similar offerings and promises of high service quality, you are bound to use your judgment to decide which would be the best one to meet your business needs and adequately address to the needs of your clientèle as well. And then, at the end of the day, does ‘availing a 24*7 support provider’ necessarily translate into getting to on-board the support staff for ‘instant and anytime availability’? Not always! So, what all are the challenges that you might encounter on your way to realistically finding a services provider that just about fits the bill for your business needs? We have compiled a list of all such challenges that you must be aware of, well in advance, to help you compare and make an informed decision with ease. 1. Round-the-clock support usually transla...
Read more

Outsourcing Your IT Support Is The Best Decision For Your Business

Outsourcing has always been a strategic move by companies for streamlining the business processes and reducing capital and overhead costs. But in the last decade, outsourcing has seen a great rise in the technical support area and is expected to grow by another 6 percent in the next two years. This rise in  technical support outsourcing  can be attributed to the bloom and growth of the digital era. More organizations are making high-standard IT and infrastructure their competitive edge and riding on the efficiency and cost-reducing benefits of outsourcing to pull ahead of the crowd. For every company, the factors involved in outsourcing a project is different. These should be assessed and understood at the company level with a professional & credible IT support provider. The benefits of outsourcing IT, however, are more or less the same. We spoke to a few entrepreneurs and senior project managers who chose to outsource their managed IT needs and given below are the...
Read more