Wednesday, October 15, 2014

SSL 3.0 vulnerability found! "POODLE"


Researchers from Google found a vulnerability in SSL v3.0 this week, which allows for a man-in-the-middle attack (MITM). This type of MITM attack is called a POODLE (Padding Oracle On Downgraded Legacy Encryption), and allows the cybercriminal to access and steal information by changing how the SSL client and the server communicate with each other.

It is always a big deal when security protocols (especially encryption-based ones) are found to be vulnerable, and although SSL 3.0 is almost 18 years old, many still use it on their browsers, VPNs and e-mail clients.

Although the exploitation takes some work to execute (the attack can gain about one byte of clear text for every 256 requests), it could result in your confidential data being exposed, so it is best to deal with this as soon as possible.

The best approach for businesses is to get their IT department to disable SSL v3.0 on all clients and servers company-wide. Start with your most business-critical and/or financially-centered IT resources such as PCI websites, point-of-sale systems, and VPNs. Also remember your STARTTLS-compliant services like IMAP, POP3 and SMTP.

Keep in mind that disabling this protocol on clients and servers will impact the business, its systems and employees, so it may need to be staged over time to ensure the least amount of downtime. If you have external customers, make sure they understand the implications as well.

Pulling up a log summary of the encryption ciphers used by your clients and the browsers they are using will help you understand how many people will be affected by disabling SSL v3.0. It might also give you insight as to whether this attack is happening over time.

Google recommends using TLS_FALLBACK_SCSV as a solution. You can also check out more information at http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html .

It is quite a challenge for consumers unfortunately to protect themselves against a POODLE attack. It is possible to turn off SSL 3.0 off in Firefox and Chrome, but this has to be set up manually. This makes it even more important for service providers and IT vendors to take the lead on this and help protect their customers. Customers should also be able to feel secure in that their selected vendors and service providers have taken adequate steps to protect themselves from this attack.

The result is another major vulnerability for SSL. Do you think this could signify the beginning of the end for SSL?


No comments: