back to article Barclays, Halifax and Tesco still being gnawed by POODLE

Major banks are still open to POODLE attacks months after being called out as vulnerable. The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw surfaced October and affects the Secure Sockets Layer (SSL) 3.0 algorithm and versions of TLS (Transport Layer Security). Ivan Ristic's SSL Labs site revealed at …

  1. Gordon 10 Silver badge

    If I were SSL labs

    I'd pass Nabs request for an exemption onto their local regulator who I would suspect would take a very dim view of it. Someone offers a presumably free service and they don't want to take advantage of it they are mad or stupid or negligent or all 3.

    1. This post has been deleted by its author

  2. This post has been deleted by its author

  3. Phil O'Sophical Silver badge

    Who's doing the IT for these banks?

    I wonder if there's any correlation between response time to this and in-house/outsourced IT?

    If you have an in-house IT department you can tell them to drop the current work, routine upgrades etc., and get patching. If the fault is in a 3rd-party switch or router and the manufacturer isn't responsive you can swap it out. Some network admin will have to spend a day with the user manual figuring out how to configure it, but overall cost and inconvenience are likely to be low-ish in bank terms.

    If it's all outsourced, you can file a P1 trouble ticket but, assuming you're not the only people impacted, what happens after that is going to depend on where you are in the "big client" pecking order. Also, if the outsourcer has based their business model on using kit from one supplier, and that's what all their support techs are trained in, they'll have little interest in swapping it for a different brand and so making your company the special case that only one re-trained support tech can deal with. They'll just keep stalling until their suppliers come up with a fix. There's almost certainly nothing in your SLA that guarantees a fix to all security issues within, say, 48 hours.

    1. localzuk

      Re: Who's doing the IT for these banks?

      IT in big business has long been the department that gets a beating every time there's any kind of financial strife. Profits dipped? Sack some IT. Regulations increased? Sack some IT. CEO has a headache? Sack some IT.

      IT is seen purely as a cost centre by many bean-counters, rather than a driver of the business. It doesn't have any sales people, therefore it can't be making any money.

      So, IT ends up outsourced to the cheapest bidder or the teams face reorganisation so that the knowledgeable people are made redundant (as they cost too much) and young, inexperienced, people.

  4. Dan 55 Silver badge
    Alert

    Banks always the last

    If you can count on one kind of website giving you a red shield on Calomel it's a bank website. Given the profits they make year after year you'd think they'd pony up the costs for a decent SSL certificate and the small amount of time it takes to configure the webserver properly.

    And they do the minimum to make it work with browsers, you'd have to be mad to trust a banking app.

  5. adam payne

    More than likely these banks use outsourced IT. When will these big companies learn that outsourcing simply doesn't work.

  6. Thought About IT

    Don't let PayPal off the hook!

    PayPal's email servers won't communicate with TLS protocols; they're still on SSLv3.

  7. Anonymous Coward
    Anonymous Coward

    El Reg is not vulnerable....

    ...since it doesn't use SSL for usernames and passwords.

    1. gazthejourno (Written by Reg staff)

      Re: El Reg is not vulnerable....

      Yes, and? This is a discussion board with no private-messaging facility. Everything you post on here is public, except for the ranty/legally troublesome stuff that me and the other mods remove. What good would implementing SSL achieve?

      I've said it before, I'll say it again. If you're reusing your El Reg login creds elsewhere, you're doing it ALL wrong.

      1. I don't have a handle

        Re: El Reg is not vulnerable....

        "I've said it before, I'll say it again. If you're reusing your El Reg login creds elsewhere, you're doing it ALL wrong."

        You have to be honest though. What AC stated is true and really it does not call for a presumptuous, hypothetical and seemingly defensive retort.

        In my world, requiring users to enter personal information such as first name, last name, email address, password, job role etc when registering without tls/pfs is about as bad as bad can be.

        Still, I suppose if you are entering real-world details here, you're doing it all wrong ;)

        I still see no excuse for ignoring good/best practice here on El Reg.

        1. Rob 54

          Re: El Reg is not vulnerable....

          "I still see no excuse for ignoring good/best practice here on El Reg."

          I agree, in real terms this would not take much and it sets a good example.

        2. Vic

          Re: El Reg is not vulnerable....

          I still see no excuse for ignoring good/best practice here on El Reg.

          They're using cheapie shared hosting for the site; adding SSL would require a change in the arangement with the hosting provider (rackspace).

          I often wonder whether it would be cheaper to do that than to carry on typing messages to try to defend the indefensiblecurrent situation...

          Vic.

        3. Michael Wojcik Silver badge

          Re: El Reg is not vulnerable....

          I still see no excuse for ignoring good/best practice here on El Reg.

          Cargo-cult security.

          There are no "best practices" in a vacuum. Security measures are only meaningful in the context of a threat model. What threats are you trying to protect against? How probable are they versus the rest of the attack tree? What are the incremental costs to attackers and the Reg?

          Of course, we can't expect most Reg readers to pay attention to such niceties. It's much easier to simply whinge about a lack of TLS for signing into the forums.

          1. I don't have a handle

            Re: El Reg is not vulnerable....

            "Cargo-cult security. There are no "best practices" in a vacuum. (blah, blah...)"

            Seems to me that you are being a bit fast and loose with the word vacuum. To me, a vacuum is devoid of anything. If it has just an ickle something in it, then it ain't no vacuum. Maybe you define it otherwise.

            But yeah, you are surely right. I am in a cult where daily life involves words and phrases such as tls, pfs, encryption, hashing, key stretching, timing attacks etc. Nasty little cult it is. Really pernicious stuff going on in this cult. The bastards just don't let up about security, privacy and respect for other peoples' data. The m***er fcukers. But hallelujah brother. We shall be saved by the Vacuum! All hail the Vacuum!

            *Sigh* Oh, how I long to belong to the cult of the 90's again. Flat files, plaintext passwords, no security and no respect for others personal data (no matter how small)*.

            * Oh, hang on... I'm talking shit again. Anyway, enjoy the 90s... They are like so last century ;)

      2. Anonymous Coward
        Anonymous Coward

        Re: El Reg is not vulnerable....

        That's insane!

        I cannot reasonably be expected to remember more than one username/password across all the websites I use!

        It's not like I can carry my whiteboard around with me. (Although thinking about it, I could take a photo of it and save it somewhere safe, like facebook or google+)

  8. Velv

    Who's calling the shots...

    Security is critical, you and I both know that. If it were within our power we'd have fixed these vulnerabilities within days of the fix being released.

    Sadly (and I'm not defending it) it's not always IT who call the shots. Marketing and Customer Relations also have a say, and you cannot "upset the customers". Requiring a "modern browser" is not always as easy as it sounds, and having seen the browser usage statistics there are still substantial proportions of users who cannot use websites that we might consider as sufficiently secure.

    Bring in a Regulator who measures service above security and suddenly your business decisions point to a less secure platform that supports a wider range of customers without introducing complex end user technical requirements.

    Not saying I like it, but that is the reality of limited budgets and resources.

  9. Anonymous Coward
    Anonymous Coward

    I do IT for a bank

    and I've been remediating some POODLE vulnerabilities, but it's a bt of a nightmare. Customer facing websites are easy though, you just need a modern browser, so I can't see why those wouldn't have been done, other than it would prevent employees connecting from their machines running old internet explorer versions :)

    The big issue I've had are with webservices that are consumed by applications that don't support verions of TLS over 1.0. Upgrading these isn't always straightforward, epecially in a risk averse bank. So you end up having to route serrvice calls all over, through other systems that do support it.

  10. 8tpercent

    Nice expiry date on this one...

    https://www.ssllabs.com/ssltest/analyze.html?d=money.asda.com&hideResults=on

  11. Anonymous Coward
    Anonymous Coward

    Can we add DSG Retail to the list?

    SSL3, TLS1.0, RC4. Higher vulnerabilities were on offer in some of their (web) stores for the proceeding 6 months.

    https://www.ssllabs.com/ssltest/analyze.html?d=secure.pcworld.co.uk

    https://www.ssllabs.com/ssltest/analyze.html?d=knowhow.com

  12. get off

    Riddle me this people.. 'user a modern browser'

    I've just joined The National Bank of Aus...That's Yorkshire Bank ybonline.co.uk and or clydesdalebank.co.uk AND I brought this up to them on the phone. "Errrm! You're a bank" No contact back of course..

    (150 quid + 2% on a current acc if anybody is interested).

    Here's the thing though. Their internet banking won't load at all in either FF or Palemoon and I'm forced to use OLD browsers. Either Opera 12 or IE...Just for them mind.. HSBC, Lloyds, HBOS all happy to load..

    So when you say 'use a modern browser' I just don't get it. Aren't FF and Palemoon actually saying 'this site is so insecure I'm not even prepared to load it' (Poodle and a SHA1 Intermed cert).

    They both throw me this

    "Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)"

    So what gives with the old vs modern browser thing. Any of you clever pepol (sic) able to shed light on my puzzlement?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like