Teddy Rogers Posted October 15, 2014 Share Posted October 15, 2014 This POODLE Bites: Exploiting The SSL 3.0 Fallback Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. I discovered this issue in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers).SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.In the coming months, we hope to remove support for SSL 3.0 completely from our client products.Thank you to all the people who helped review and discuss responses to this issue. http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html Ted.ssl-poodle.pdf Link to comment Share on other sites More sharing options...
Teddy Rogers Posted October 15, 2014 Author Share Posted October 15, 2014 Some more reading... https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.htmlhttps://www.imperialviolet.org/2014/10/14/poodle.html A website you can use to check for the vulnerability... https://www.tinfoilsecurity.com/poodle Ted. Link to comment Share on other sites More sharing options...
simple Posted October 15, 2014 Share Posted October 15, 2014 Proof of concept code would be nice : ) Link to comment Share on other sites More sharing options...
SkyProud Posted November 14, 2014 Share Posted November 14, 2014 http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/ Link to comment Share on other sites More sharing options...
SkyProud Posted November 16, 2014 Share Posted November 16, 2014 http://nginx.com/blog/nginx-poodle-ssl/ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now