Poodle Hastened the Death of SSL v3.0

by · November 13, 2014

SSL (Secure Sockets Layer) allows sensitive information, such as credit card numbers and login credentials, to be transmitted securely to the server to process a transaction. Normally, information sent between browser and web server in plain text format that leaves your data vulnerable to attackers. This means, if an attacker could intercept data sent between a browser and a web server, they can see and use that information.

Secure Sockets Layer

Secure Sockets Layer is defined as the standard security technology/protocol for establishing an encrypted link between 2 machines

More specifically, SSL is defined as the standard security technology/protocol for establishing an encrypted link between a server and a client. The server could be a web server (website) and the client could be a web browser; or a mail server and a mail client (like outlook). The SSL protocol was originally developed by Netscape, starting with SSL v1.0 which wasn’t released and SSL v2.0 which was released in February 1995 but didn’t stay long because of security flaws and led to the development of a new version in 1996 named SSL v3.0.

SSL v3.0 was a complete redesign and rebuild of the protocol produced by Paul Kocher, Phil Karlton and Alan Freier. It was published by IETF as a historical document in RFC 6101 in 1996.

Although SSL v3 is nearly 18 years old, many pieces of software still fall back on SSL v3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSL v3 connections if it is an available alternative for both participants attempting a connection.

So, WHAT is Poodle?

Padding Oracle On Downgraded Legacy Encryption (POODLE) is a flaw in how browsers handle encryption. Attackers, as man-in-the-middle, can change data in a way that forces a leak of data in a block called cipher. Many of the cipher suites in SSL v3.0 are already not being used due to insecure and small key sizes. This vulnerability has been discovered  by Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team.

POODLE vulnerability allows attackers to use the design of SSL v3.0 to decrypt sensitive information, including secret session cookies which give the attacker the ability to hijack sessions for users’ accounts. Because the protocol is too old, the flaw can’t be patched, but it’s hastening the death of SSL v3.0 as a standard.

How To Protect yourself Against POODLE Vulnerability

httpsSSL v3.0 is not the only protocol that encrypts your data from your browser, as in January 1999 a new update of SSL has been defined in RFC 2246 and it was named Transport Layer Security (TLS) protocol version 1. TLS v1.0 followed by TLS v1.1 in April 2006 and TLS v1.2 in August 2008. To protect yourself from POODLE you need stop the downgrade of TLS versions to SSL v3.0, i.e. to enforce your browser to use only TLS v1.0 as the minimum downgrade for encryption.

Easy Talk! let’s Take some action

Let’s fix our browsers by enforcing the minimum protocol to TLS v1.0 manually till a new update of the browsers is released.

Firefox

The easy way is to change the value of security.tls.version.min to 1 by following the simple steps below:

  • Type about::config in your Firefox address bar Screen Shot 2014-11-13 at 7.51.09 AM.
  • Click I’ll be careful, I promise to bypass the security warning.
  • In the search box, type security.tls.version.min.
  • Double-click it to change the value to 1
  • Now you enforced your browser to use TLS version 1 as the minimum protocol

Internet Explorer

It is also easy to enforce IE not to use SSL v3.0 by the following steps:

  • Click tools icon Screen Shot 2014-11-13 at 7.54.58 AM .
  • Choose “Internet Options”.
  • Click “Advanced” tab.
  • Search for “Use SSL 3.0” under “Security” settings group and unselect the checkbox.
    Screen Shot 2014-11-13 at 7.50.59 AM
  • Click “Apply”, and then “OK”
  • Restart your browser.

Google Chrome

Chrome doesn’t have direct access to its configurations, specially the security settings, so you will need to find a workaround to enforce the browser to start using the minimum SSL version:

  • Right click on the shortcut icon you use to open Chrome
    • If it is pinned to the taskbar, right click on “Google Chrome”
      Screen Shot 2014-11-13 at 7.50.31 AM
  • Click “Properties”
  • After the text in target box, type “—ssl-version-min=tls1″
    Screen Shot 2014-11-13 at 7.50.03 AM
  • Click “Apply” and “OK”
  • This will enforce the browsers to start with minimum level of TLS v1.0 only if you used the modified shortcut icon so.
  • I hope you find this post informative and useful. Stay Safe!

Post By Sami El-Kady (2 Posts)

Website: → Personal Website

Connect

Add a Comment