Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Your POODLE and You

October 15, 2014

A vulnerable Poodle. On 2014-10-14, a vulnerability in the SSLv3 protocol was published. This page is a public version of a blog post I put up at $WORK, to help employees understand the impact of the vulnerability on the company and you personally. It was added here upon request to share the information outside the company.

POODLE? Wtf?

The latest reason to confirm that the internet is once again on fire is a vulnerability in version 3 of the Secure Sockets Layer protocol. This vulnerability is unlike the #heartbleed vulnerability we encountered earlier this year in that it is a flaw in the protocol, not the implementation of a specific library. As such, exploiting POODLE is more similar to the BEAST attack. It is noteworthy because of its widespread impact: every client and server that uses SSLv3 is affected, and the best solution is to turn off SSLv3 altogether. That, however, means that clients that can't speak TLS1.0 or higher will not be able to reach services which have SSLv3 turned off. Microsoft Internet Explorer 6 does not have support for TLS, and has thus been holding back widespread abandonment of SSLv3 despite its (other) known flaws. The name "POODLE" is a backronym for "Padding Oracle On Downgraded Legacy Encryption". This makes POODLE the first SSL vulnerability with its own emoji () -- crucial property in todays fast-paced world!

How does it work?

POODLE is a padding oracle attack on SSLv3, which uses cipher-block chaining (CBC). By making multiple requests with the partial cipher text an attacker may be able to retrieve the plaintext of, for example, an encrypted cookie. The details of how this is accomplished are well described on Adam Langley's always interesting blog.

It's important to note that a successful exploit of this vulnerability requires a Man-in-the-Middle position (in order to trigger the fall-back to SSLv3) as well as, in most cases, the ability to run Javascript in your browser. That is, the complexity to exploit is significantly higher than it was for #heartbleed or #shellshock, for example.

How do you fix it?

A successful attack requires both parties, client and server, to speak SSLv3. Hence, a solution to protecting your services is by not allowing SSLv3 at all. Likewise, as a user, you can turn off SSLv3 in your clients (most notably your browser(s)).

From an end-user perspective, this is trivial: there are very few sites that actually require SSLv3, so turning off support for the old protocol should have no negative consequences for you.

For service owners, there is the risk of dropping some traffic due to ancient clients. As noted above, Internet Explorer 6 is the most notorious example of a client that's still in use and which doesn't support TLS. There may be others, however.

Since part of the attack vector is in forcing a downgrade of the encryption protocol, it is possible to prevent this attack by using the TLS_FALLBACK_SCSV mechanism in newer SSL libraries. This option, described here, has been included in the latest version of OpenSSL as of 2014-10-15.

What about Twitter?

What about me? My browsers, my curl, my children? (Won't somebody think of the children?)

You're right. Now is not the time to be nice to your POODLE. I'm afraid you have to put it down.

That is, your client should be configured to explicitly disable SSLv3. Remember, any tool you have that makes an https call (or an otherwise TLS/SSL protected request, such as for MTAs using STARTTLS), is a "client" in this context. Explicitly enforcing TLS rather than allowing SSLv3 will protect you.

Browsers

Chrome

In order to disable SSLv3 in Google Chrome, you need to invoke it with the --ssl-version-min=tls1 command-line option:

$ open /Applications/Google\ Chrome.app --args --ssl-version-min=tls1

If you are using Quicksilver or Alfred, you can write a simple AppleScript (do shell script "open /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1") to start Chrome. (I currently don't know of any configuration setting you can use to have this be the default.)

Firefox

Go to about:config and set security.tls.version.min to 1:

Firefox Preferences

Safari

You lose.

How to verify

Visit https://poodletest.com. No, I'm serious.

Command-line tools

curl(1)

curl --tlsv1 $URL

For example, the following call, failing to retrieve a vulnerable poodle, shows that your curl(1) correctly refuses to talk SSLv3:

$ curl -v -I --tlsv1 https://sslv3.dshield.org/vulnpoodle.png
* Adding handle: conn: 0x7fde44003a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fde44003a00) send_pipe: 1, recv_pipe: 0
* About to connect() to sslv3.dshield.org port 443 (#0)
*   Trying 74.208.162.100...
* Connected to sslv3.dshield.org (74.208.162.100) port 443 (#0)
* Could not negotiate an SSL cipher suite with the server
* Closing connection 0
curl: (35) Could not negotiate an SSL cipher suite with the server

openssl(1)

openssl s_client -no_ssl2 -no_ssl3 -connect $SITE:443

For example, the following call, failing to connect to an SSLv3 site, shows that your client correctly refuses to talk SSLv3:

$ openssl s_client -no_ssl3 -connect sslv3.dshield.org:443
CONNECTED(00000003)
10123:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported
protocol:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s23_clnt.c:558:
$

I just want the links!

Here you go. I'm sure they all have hilarious dog photos, so if nothing else you get that:

I can haz Fun Fact?

  • Poodles were bred to retrieve water fowl. Their fur was shaved to make the poodle lighter in the water, but to keep it warm on the upper body.
  • Your @emergencypuppy might as well be a "teacup poodle".
  • "Poodle" is also a political insult.
Poodle

October 15, 2014
[On Peter Principles and Failing to Fail] [Index] [lish(1) -- a limited shell]