ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

SSL broken, again, in POODLE attack

(1/4) > >>

app103:
From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that's used to secure Internet traffic from eavesdroppers both government and criminal.

Calling the new attack POODLE—that's "Padding Oracle On Downgraded Legacy Encryption"—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all of whom work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011 and the CRIME attack in 2012.

The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.

As with previous attacks of this kind against SSL, the most vulnerable application is HTTP. An example attack scenario would work something like this. An adversary (typically in cryptography literature known as Mallory) sets up a malicious Wi-Fi hotspot. That Wi-Fi hotspot does two things. On non-secure HTTP connections, it injects a piece of JavaScript. And on secure HTTP connections, it intercepts the outgoing messages and reorganizes them.
--- End quote ---


http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/

app103:
To fix your browser:


* Firefox: you can install this add-on: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
* Pale Moon, K-Meleon, and other Gecko browsers: Go to about:config and set security.tls.version.min to 1 which will disable its ability to communicate over SSLv3.
* IE: see this page: https://technet.microsoft.com/library/security/3009008
* Chrome: https://zmap.io/sslv3/browsers.html#chrome
* Safari users on OSX & iOS: You are pretty much screwed till Apple fixes it for you. Use a different browser.
* Opera: You are screwed too. http://forums.opera.com/discussion/comment/15195025#Comment_15195025 (thanks Renegade!)

Edvard:
Damn.
Since my main box blew up, I have had to use a spare computer with dismal graphics and no way to remedy.  Opera is the only browser that 'behaves' on this box.  Damn.
 :(

app103:
Damn.
Since my main box blew up, I have had to use a spare computer with dismal graphics and no way to remedy.  Opera is the only browser that 'behaves' on this box.  Damn.
 :(
-Edvard (October 15, 2014, 06:15 PM)
--- End quote ---

Windows box? If so, try K-Meleon. If it ran well on my ancient Pentium I with 64mb RAM and the 2mb onboard S3 Trio graphics, it should run well on just about anything better.  ;)

NigelH:
To fix your browser:
...

* Opera: You are screwed too.-app103 (October 15, 2014, 05:39 PM)
--- End quote ---
Perhaps for Chrome based opera?

But for Opera 12.17 or earlier, disabling  "Enable SSL 3"  in Preferences/Advanced/Security/Security Protocols should work.

If not, then it's time to switch permanently to a 2nd rate browser.

PS: Thanks for the Pale Moon tip

Navigation

[0] Message Index

[#] Next page

Go to full version