topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 1:13 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: SSL broken, again, in POODLE attack  (Read 14065 times)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
SSL broken, again, in POODLE attack
« on: October 15, 2014, 05:30 PM »
From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that's used to secure Internet traffic from eavesdroppers both government and criminal.

Calling the new attack POODLE—that's "Padding Oracle On Downgraded Legacy Encryption"—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all of whom work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011 and the CRIME attack in 2012.

The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.

As with previous attacks of this kind against SSL, the most vulnerable application is HTTP. An example attack scenario would work something like this. An adversary (typically in cryptography literature known as Mallory) sets up a malicious Wi-Fi hotspot. That Wi-Fi hotspot does two things. On non-secure HTTP connections, it injects a piece of JavaScript. And on secure HTTP connections, it intercepts the outgoing messages and reorganizes them.


app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #1 on: October 15, 2014, 05:39 PM »
To fix your browser:


« Last Edit: October 15, 2014, 07:52 PM by app103 »

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #2 on: October 15, 2014, 06:15 PM »
Damn.
Since my main box blew up, I have had to use a spare computer with dismal graphics and no way to remedy.  Opera is the only browser that 'behaves' on this box.  Damn.
 :(

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #3 on: October 15, 2014, 06:29 PM »
Damn.
Since my main box blew up, I have had to use a spare computer with dismal graphics and no way to remedy.  Opera is the only browser that 'behaves' on this box.  Damn.
 :(

Windows box? If so, try K-Meleon. If it ran well on my ancient Pentium I with 64mb RAM and the 2mb onboard S3 Trio graphics, it should run well on just about anything better.  ;)

NigelH

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 210
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #4 on: October 15, 2014, 06:31 PM »
To fix your browser:
    ...
    • Opera: You are screwed too.
Perhaps for Chrome based opera?

But for Opera 12.17 or earlier, disabling  "Enable SSL 3"  in Preferences/Advanced/Security/Security Protocols should work.

If not, then it's time to switch permanently to a 2nd rate browser.

PS: Thanks for the Pale Moon tip

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #5 on: October 15, 2014, 06:38 PM »
Thanks for the heads up and browser fix suggestions, app103  :Thmbsup:

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #6 on: October 15, 2014, 06:59 PM »
To fix your browser:
  • Safari users on OSX & iOS: You are pretty much screwed till Apple fixes it for you. Use a different browser.

How do people use different browsers in iOS effectively?

The huge reason I never considered my phone (iPhone) to be a real comp is that while it can do a few fun useful things, it just doesn't do anything that I consider really useful / work.

So I am only a novice at phones, but I've tried to barely keep up on the news. So Apple has made it rather hard to use other browsers than Safari on an iPhone. And despite how ugly Flash is, it does run a few things. So I squeaked by, and got a copy of Photon on my iPhone, that does some sort of "process and pass on" version of Flash.

So, there. That's a different browser. But is it susceptible to this new attack? I have no idea and no idea how to find out. I'm a great test case because I'm sorta smart, and I have first level questions, but these new stories are coming too fast and thick for me to make out.


Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #7 on: October 15, 2014, 07:02 PM »
...
Windows box? If so, ...

Aw, c'mon App, you should know me better by now  :P
I'm 100% Linux and have been for a while.  I think I have XP in a virtual machine around here somewhere...

BTW, the computer I'm on at the moment is a Dell SC1425 server.  Radeon Mobility graphics and one expansion slot which is PCI-X.  

Funny thing, I just fired up Firefox, and while scrolling up and down a page lags like swimming in peanut butter, the Mozilla Bundle game previews play just fine...
 :o

...
Perhaps for Chrome based opera?

But for Opera 12.17 or earlier, disabling  "Enable SSL 3"  in Preferences/Advanced/Security/Security Protocols should work.

If not, then it's time to switch permanently to a 2nd rate browser.

PS: Thanks for the Pale Moon tip

Cool tip Nigel!  For now, Opera 12.17 is the only one available for Linux, so I'll try that out.
 :Thmbsup:

NigelH

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 210
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #8 on: October 15, 2014, 07:11 PM »
Test your browser
https://www.ssllabs.com/

(confirms Opera 12.17 suggestion works).


app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #9 on: October 15, 2014, 07:19 PM »
My first hint about this issue was when my IRC client disconnected from Slack very early this morning and wouldn't reconnect. I thought the issue was on my end, rebooted twice, went googling the error messages I was getting, etc. But it turned out that Slack turned off SSLv3 as soon as they found out about this, and my IRC client didn't support TLS, so I had to go find a version of Xchat that does and doesn't crash when I lose my internet connection. That was a big chunk out of my day today.  :(

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #10 on: October 15, 2014, 07:26 PM »
Wow. This is nasty!

https://scotthelme.c...-kills-off-protocol/

As the POODLE vulnerability is actually in the protocol itself, this isn't something that can be patched out like ShellShock and HeartBleed.

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #11 on: October 15, 2014, 07:44 PM »
  • Opera: You are screwed too.

Solved! (solution found here)

1) Find your proper Opera executable folder, e.g. C:\Program Files (x86)\Opera\25.0.1614.50_0
    It is NOT in C:\Program Files (x86)\Opera\
2) Run opera.exe --ssl-version-min=tls1
3) SSL is now turned off. Check it for the vulnerability at the link NigelH posted above.

Screenshot - 2014_10_16 , 11_42_32 AM.png

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #12 on: October 15, 2014, 07:50 PM »
  • Opera: You are screwed too.

Solved! (solution found here)

1) Find your proper Opera executable folder, e.g. C:\Program Files (x86)\Opera\25.0.1614.50_0
    It is NOT in C:\Program Files (x86)\Opera\
2) Run opera.exe --ssl-version-min=tls1
3) SSL is now turned off. Check it for the vulnerability at the link NigelH posted above.
 (see attachment in previous post)


And just like the Chrome fix, you will have to put it in the shortcut you use to launch it, because it has to be done every time you start the browser. It's not a one time fix & forget.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #13 on: October 15, 2014, 08:10 PM »
And just like the Chrome fix, you will have to put it in the shortcut you use to launch it, because it has to be done every time you start the browser. It's not a one time fix & forget.

Whoops. Yes. Good point. You need to create a shortcut for it. A crappy fix, but better than nothing.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #14 on: October 15, 2014, 08:13 PM »
And just like the Chrome fix, you will have to put it in the shortcut you use to launch it, because it has to be done every time you start the browser. It's not a one time fix & forget.

Whoops. Yes. Good point. You need to create a shortcut for it. A crappy fix, but better than nothing.

Also watch out for external links from other apps opening in Opera or Chrome, as they will not launch your browser with the command line parameter.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #15 on: October 15, 2014, 08:20 PM »
Test your browser
https://www.ssllabs.com/

Nice -- thanks for this.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #16 on: October 15, 2014, 08:57 PM »
Thanks for the heads up  :up:

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #17 on: October 15, 2014, 10:42 PM »
From my understanding, it's only SSLv3... right?  Which shouldn't really be in use?

https://securityblog...ility-cve-2014-3566/

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: SSL broken, again, in POODLE attack
« Reply #18 on: October 15, 2014, 10:50 PM »
From my understanding, it's only SSLv3... right?  Which shouldn't really be in use?

https://securityblog...ility-cve-2014-3566/

Well, v2 shouldn't be in use, either.