back to article Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

As warned by The Register, researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections. Miscreants can exploit a weakness in the protocol's design to grab victims' secret session cookies. These can be used to log into online accounts, such as webmail, social …

  1. bazza Silver badge

    Misleading Language

    "This should be an academic curiosity because SSL 3.0 was deprecated very nearly 15 years ago"

    Seems that the word 'deprecated' has been widely misunderstood by browser and server writers for 15 years. How much other stuff has been 'deprecated' that is actually still out there, still in use, still burnt in to code and still vulnerable? My guess: **** loads.

    Even though trivial routines such as sprintf() have been advised against for eternity (snprintf() being the advised, improved alternative), there must be tons of software out there that uses the older version. Ok, so that's fine if it works, but's it also means that it's potentually vulnerable to, for example, a buffer overflow problem.

    And no-one is looking at the software's source code because it's old, established (and therefore boring) and blessed with an aura of correctness gained through age and not through analysis and testing.

    So isn't it about time that things that have been deprecated actually got removed? If OSes actually got rid of the dangerous old shit like the SSL run time libraries and the dodgy old functions like sprintf() then after a period of chaos we would all be better off.

    1. djack

      Re: Misleading Language

      Considering the number of servers out there still supporting Ssl version 2, I can see this being an issue for a long time.

    2. Charlie Clark Silver badge

      Re: Misleading Language

      The internet is supposed to "degrade gracefully" by providing support for older protocols so that you don't wake up one day and find the internet no longer works for you. That said there are cases (and security is certainly one) where a less forgiving approach is warranted and Google is right to remove support for SSL v3 from its browser.

      We now have much better tools and resources for identifying potential weak spots than we did even five years ago.

      1. Bronek Kozicki

        Re: Misleading Language

        so that you don't wake up one day and find the internet no longer works for you

        The problem with protocols which are supposed to work from-day-to-day is that there is no incentive to do anything about deprecated features, and thus "will it work tomorrow" incentive to just keep using what works, gets stretched until things break catastrophically.

    3. JamesPond
      Childcatcher

      Re: Misleading Language

      "And no-one is looking at the software's source code because it's old, established (and therefore boring)"

      ...err...I think you'll find attackers are looking at the code!

    4. Destroy All Monsters Silver badge
      Trollface

      Re: Misleading Language

      How much other stuff has been 'deprecated' that is actually still out there, still in use, still burnt in to code and still vulnerable?

      There are a couple of "languages" named according to the third letter of the alphabet, for starters. They were shit in the late 80s.

      1. Anonymous Coward
        Anonymous Coward

        Re: Misleading Language

        @Destroy All Monsters

        You still haven't uploaded your amazing language that can do everything C can yet doesn't have any of the pitfalls to github as far as I can tell.

        I'm really interested to see how you'll do stuff like accessing hardware specific registers without introducing "hold my hand mum, this is scary" constructs to the language.

      2. Matt Bryant Silver badge
        Facepalm

        Re: Destroyed all braincells Re: Misleading Language

        ".....There are a couple of "languages" named according to the third letter of the alphabet, for starters....." The famous description of C is 'driving a Porsche along a mountain road with no safety barriers' - fine, fun and with great performance, if you know what you're doing, I take it you're just a bad 'driver'.

        1. Anonymous Coward
          Anonymous Coward

          Re: Destroyed all braincells Misleading Language

          >'driving a Porsche along a mountain road with no safety barriers'

          If anyone thinks that range checks etc done in software via a vm or inserted at compile time make everything super duper secure then they are fooling themselves.

          Thinking that C programs running on a modern OS do what they like totally unchecked just shows that certain people that comment here far too often to be healthy are all talk and no trousers.

          1. Matt Bryant Silver badge
            Happy

            Re: AC Re: Destroyed all braincells Misleading Language

            I believe the Porsche quote is from the Kernighan & Richie definitive textbooks (for C and UNIX gurus, also known as 'the White Bible'), IIRC. Anyone wishing to disagree will probably find that Mr Kernighan is famous for a biting sarcasm that would make moi look positively retiring.

    5. Anonymous Coward
      Anonymous Coward

      Re: Misleading Language

      >Even though trivial routines such as sprintf() have been advised against for eternity

      It's as though snprintf isn't available everywhere or something... A lot of stuff that is "evil" according to some guy's blog is perfectly safe to use if used properly. Equally "safer" "modern" versions of things can be misused too. Maybe it's harder to make mistakes but I think suggesting that one is evil blah blah and the other is hard as nails makes people afraid to learn how to use stuff correctly and gives them a false sense of security.

      >there must be tons of software out there that uses the older version.

      There's tons of stuff out there that has to run on old ass systems that don't have "modern" stuff in their libc. That stuff could be perfectly secure. Stuff that uses the modern versions could have some other problem. Just using the "modern" stuff doesn't remove all potential for programmer error. The version of snprintf in your libc could also be broken.

      1. Michael Wojcik Silver badge

        Re: Misleading Language

        It's as though snprintf isn't available everywhere or something...

        It isn't - at least not a conforming version. MSVC's is still broken, for example (wrong return value if the buffer is too small, and fails to nul-terminate in that case also). The same for the C library on at least one UNIX platform (HP-UX 11.23, maybe?).

        Of course Microsoft C doesn't actually provide snprintf. It provides a family of functions with names beginning with "_snprintf", which is an identifier reserved to the implementation, so it can do whatever Microsoft damn well pleases.

        So no, snprintf is not available everywhere.

        We use it, but we have to wrap it in code that Does The Right Thing for both conforming and brain-dead implementations.

    6. Stevie

      Re: Misleading Language

      The word 'deprecated' does not mean 'obsolete' unfortunately. Perhaps a little more backbone is called for when deciding how long to deprecate stuff before making it obsolete (I'm dancing hard around the non-verb ' to obsolete' as you can tell).

      There's graceful degradation of the internet and there's disgraceful degradation of the internet. The question is, which one do you want?

      Browser writers! Have some gumption and get rid of useless, dangerous stuff!

  2. Nigel The Pigeon

    easy to perform

    Someone please correct me where I'm wrong, but from reading that paper it appears to be...

    1. A hacker sits in a cafe with a laptop, and injects an IFRAME into some plaintext HTTP data flowing through the airwaves. The IFRAME contains Javascript.

    2. The Javascript then requests something from a secure server, say with a HTTPS cookie.

    3. The hacker intercepts the request / or server handshake response, causing the connection to drop.

    4. After a few dropped connections, the browser, in an attempt to connect at any cost, starts downgrading the protocol it's using until it ends up on SSL3.0 - which is really old and buggy.

    5. The Javascript repeatedly requests the same HTTPS data from the server. (Now using SSL3.0).

    6. The hacker intercepts each of the browser's requests, and modifies one of the (already encrypted) bytes in a certain position (called the oracle block padding byte).

    7. From the server's response (failed or success) the hacker is able to judge whether their modified byte was actually part of the plaintext request before it was encrypted.

    8. Because the encrypted data is essentially random, only 1 out of every 256 attempts will get the correct byte, so for each character the hacker has to intercept up to 256 requests.

    It sounds like a pain in the ass, but I can certainly see how a few bits of code will make short work of it.

    1. Anonymous Bullard

      Re: easy to perform

      I can imagine this being automated, and there will no doubt be a POC publicly available in a few days, reducing your steps to "1. Run this"

      All the attacker needs is control of a system between you and the other end (for web traffic), a requirement for every other MITM attack. (and if you think that's highly unlikely, then why encrypt?).

    2. Doctor_Wibble

      Re: easy to perform

      Easy to fix:

      - remove 'iframe' from the html spec

      - remove javascript from existence

      - remove flash from existence (not related I just hate it)

      These three steps will solve many problems at once since the MITM is often not the spotty teenager at the next table, it is the compromised ad server network that doesn't bother to check the crap their customers feed into it.

      Plain text on a plain background should be good enough for anyone, along with 640k, cardboard box in the middle of the street (etc)...

      1. bob, mon!
        FAIL

        Re: easy to perform

        > Easy to fix:

        > ...

        > - remove javascript from existence

        OH yeah! Easy-peasy!

    3. Roland6 Silver badge

      Re: easy to perform

      >1. A hacker sits in a cafe with a laptop, and injects an IFRAME into some plaintext HTTP data flowing through the airwaves.

      Well the use of a public WiFi hotspot as an example is obvious as they don't typically use WiFi encryption. However, as most traffic isn't encrypted as it crosses the wider internet (and that includes traffic that gets encrypted to traverse a WiFi connection), the attack can be made anywhere, which re-opens the whole can-of-worms around the NSA etc.

    4. TrickyWoo

      Re: easy to perform

      I think that's a very well thought out method however the a priori is that the attacker be based in a Web Cafe due to the need for the MitM. This makes it far more difficult in terms of effort and therfore mitigates the overall risk of explitation. Happy to be proved wrong though :-)

      1. PeteA

        Re: easy to perform

        It requires a connection to the internet and the ability to host a WiFi ESSID. The former is the bit that the cafe's WiFi connection is used for - but there are plenty of other things you can use e.g. a USB-4G Modem adapter. So unfortunately, they're not tied to cafes - just to anywhere that doesn't have an 'obvious' free connection already available. Try setting up a public hotspot called 'XxxFreeWiFi' somewhere busy and plausible like a shopping centre ('SouthMallFreeWiFi') and I bet you'll plenty of connection attempts. There's not even a reason for the attacker to be in the close vicinity of the equipment if they chose to use some remote hardware.

        That said, I thought it was easy enough to disable SSL/TLS versions in most web servers anyway so as long as it's "disabled by default" then there's a pretty good argument for retaining it as an option for specific use-cases.

  3. Alister
    Facepalm

    They spent all that extra time thinking up a name and a pretty logo for this vulnerability, before releasing it to the public, and the best they could come up with was POODLE!!

    1. Anonymous Coward
      Anonymous Coward

      Alternatively...

      Padding Input Downgraded Delivering Legacy Encryption = PIDDLE!

  4. Chemist

    From ISC

    Their current page for this includes links to test sites

    For clients it's https://www.poodletest.com/ (Javascript needs to be enabled)

    FYI OpenSUSE 13.1 Firefox ESR not vulnerable, SeaMonkey (2.29) not vulnerable, Konqueror (4.10.1) vulnerable

    1. Paul Crawford Silver badge

      Re: From ISC

      Well on my Ubuntu home box:

      Firefox 33 => not vulnerable

      Chromium Version 37.0.2062.120 Ubuntu 12.04 (281580) (64-bit) => vulnerable

      Opera 12.16 => test did not complete (probably not exploitable then?)

      1. Roland6 Silver badge

        Re: From ISC

        Interesting, well this is one instance where IE comes out looking good !

        Whilst all my installed browsers (IE, Chrome, Maxthon) on Win7 & XP are vulnerable, it is only with IE that I can implement a workaround (disable SSL 3.0 in the advanced options).

        Only concern with respect to depreciated protocols is with IE 8, as the only remaining option I've still got ticked is "Use TLS 1.0".

        Aside: poodletest has obviously been updated in the last hour or so as when I first tested IE8 it didn't display an image, but now it does.

        1. Pookietoo
          Headmaster

          Re: depreciated protocols

          Deprecated, not depreciated.

    2. gloucester

      Re: From ISC

      Win 7 Firefox ESR 24.8.1 Not vulnerable.

      IE10 didn't get poodle or terrier.

      1. Anonymous Coward
        Anonymous Coward

        Re: From ISC

        IE10 didn't get poodle or terrier.

        it's just broke

        1. This post has been deleted by its author

    3. Dan 55 Silver badge
      Alert

      Re: From ISC

      I would say that https://www.poodletest.com/ is not 100% reliable, at least with Firefox and probably other Gecko browsers.

      Firefox is vulnerable - check at http://zmap.io/sslv3/. To fix set security.tls.version.min to 1 in about:config and Shift-refresh the test page.

      Same goes for Android versions.

      Firefox 34 when released will disable SSL 3 if you don't do it manually now.

  5. captain veg Silver badge

    triply safe

    "while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages."

    Never been in Starbucks, never had a Twitter account, don't use Gmail. Next!

    -A.

  6. Anonymous Coward
    Linux

    smug

    This is a legacy browser problem. Chrome was updated last night about 20 mins before I read this.

    1. MrWibble

      Re: smug

      Mine (on Ubuntu) updated this morning - to v38. poodletest.com shows it as still vulnerable, whereas firefox isn't.

      1. yossarianuk

        Re: smug

        Launch chrome using 'google-chrome-stable --ssl-version-min=tls1' and the vulnerability has gone (at least in Linux)

        Firefox is non vulnerable (Kubuntu 14.04)

      2. Dan 55 Silver badge
        Alert

        Re: smug

        Poodletest doesn't get it right with Firefox - it is vulnerable.

        See other post somewhere above.

        1. Chemist

          Re: smug

          "Poodletest doesn't get it right with Firefox - it is vulnerable."

          It does now - it's been updated.

          Also "So in short: Firefox is less likely to downgrade to SSLv3 if the server follows best practices on cipher selection, even if SSLv3 is still supported."

    2. Roland6 Silver badge

      Re: smug

      ?Poodletest is reporting Chrome v38.0.2125.104 m on Windows - the latest available is vulnerable and requires Google to issue a fix... Whereas IE 8 (and probably earlier versions such as 6) whilst vulnerable in their default configuration, disabling SSL 3.0 is a user action...

      1. Roland6 Silver badge

        Re: smug

        Follow up to my previous comment.

        On Windows, it seems that whilst you can enter the command-line:

        chrome.exe --ssl-version-min=tls1

        and start chrome, it will still fail poodletest...

        1. Roland6 Silver badge

          Re: smug

          Re: Poodletest doesn't always get it right

          Tested Chrome again this morning with the command line switch --ssl-version-min=tls1 and it now gets it right.

  7. Mage Silver badge

    XP?

    XP is irrelevant if you have a sensible browser, i.e. not IE!

  8. Destroy All Monsters Silver badge
    Trollface

    Poodle?

    Clearly a Blair Bug.

  9. K
    Devil

    And here I was preparing for a massive round of patching..

    Where all it requires (initially at least) is ticking of a couple of checkboxes on our Load Balancers to disable SSL3!

    1. Roland6 Silver badge

      Re: And here I was preparing for a massive round of patching..

      Big-IP by any chance?...

  10. Anonymous Coward
    Anonymous Coward

    Firefox and Opera on xp

    Firefox not vulnerable. Opera with enable ssl3 in security protocols just sat there with 329kB downloaded and seemed to be continually setting up secure connection -no image. Disabling ssl3 brought instant not vulnerable image.

  11. Talkingheads80

    Sharing tools

    Portcullis have been advising clients to turn off legacy SSLv3 for a while now – POODLE - Blog by Portcullis talks you through the details.

    If anyone is interested updated tools can be found here http://lnkd.in/dEuFT6q http://lnkd.in/d_ABrii

  12. Graham Cobb Silver badge

    Bad news for iPad

    My (work supplied) iPad2 running iOS 7.1.1 is vulnerable (according to poodletest.com). I can't upgrade to iOS 8 (not only would I need to check all my demos still worked, general opinion seems to be that upgrading an iPad2 is not advisable) but presumably any fix will only be issued for iOS 8.

    Must remember not to use it to access any important personal stuff (not just banking, but things like airline check-in).

    Hmm, that raises an interesting question... will apps (like the BA app) inherit any fixes that may be supplied for iOS or Android or do the apps themselves need to be updated?

    1. Soap Distant

      Re: Bad news for iPad

      iPad 4 (again works supplied) with iOS 8.02 applied and Safari is still vulnerable. Cant see a setting anywhere to disable SSLv3 either...

    2. Adam 1

      Re: Bad news for iPad

      > will apps (like the BA app) inherit any fixes that may be supplied for iOS or Android or do the apps themselves need to be updated?

      No need to worry. The security in the BA app is top notch.

  13. Matt Bryant Silver badge
    Devil

    Aw, c'mon!

    I can't believe no-one has commented on how SSL is continually dogged by security issues....

    / Baddum-dum-tush! Yeah, suck it up, I'm here all week!

    1. Fatman
      Joke

      Re: Aw, c'mon!

      I can't believe no-one has commented on how SSL is continually dogged by security issues....

      / Baddum-dum-tush! Yeah, suck it up, I'm here all week!

      Well, I guess you earned your paycheck this week!

      </snark>

      PS: Mr Nadela wants to see both you and Loverock Davidson in his office first thing tomorrow. Something about a new assignment.

      1. Matt Bryant Silver badge
        Happy

        Re: Fatman Re: Aw, c'mon!

        "....PS: Mr Nadela wants to see both you and Loverock Davidson in his office first thing tomorrow. Something about a new assignment." Does he want us to develop you a sense of humour?

  14. Darth.0
    Mushroom

    Fixed it for ya

    However, when at the local Starbucks or other unencrypted Wi-Fi, you are in grave danger from this hack.

    This is why I only login to my online banking portal from my local Dunkin Donuts' coffee shop. Starbucks, pisshaw.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like