Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Encryption Google The Internet

Google Finds Vulnerability In SSL 3.0 Web Encryption 68

AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
This discussion has been archived. No new comments can be posted.

Google Finds Vulnerability In SSL 3.0 Web Encryption

Comments Filter:
  • Chrome Dumbed Down (Score:5, Interesting)

    by brunes69 ( 86786 ) <`gro.daetsriek' `ta' `todhsals'> on Tuesday October 14, 2014 @08:09PM (#48145767) Homepage

    Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

    • Re: (Score:2, Interesting)

      Tick this box to break the internet? Those kinds of options just cause user frustration. Security should not be optional.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I'm confused, are you advocating security or compatibility.

        • Giving the user a browser option that will break compatibility with some web sites, adds more bug / support effort to work out what the user actually did. For most users, giving them an option like this is only going to cause you trouble later.

          If you have too many configuration options, nobody will test every permutation to check that they actually work. Since we're talking about web browsers, most of that testing burden would fall on web site developers.

          Having an option for a security setting may allow y

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            But the point is that "making your software secure out of the box" would mean making it fail to work with lots of existing websites. So are you suggesting, instead of giving the user a button to "break the web", just to permanently "break" it for them?

            Most users don't tend to appreciate that sort of thing, which is basically the entire problem of web security in a nutshell.

            • Re: (Score:2, Insightful)

              In this case, the new browser software version will break any server that only supports SSL3.0. When practically every user fails to connect to your server, including your own people, you know you have a problem to fix. Creating some work for web site owners in the interest of their own security.

              I'm saying that if you gave the users the option of breaking some of the web, some small percentage of users would do it without understanding the consequences. This creates a situation that is much harder to deal

              • Yeah, get rid of every feature so the willfully ignorant don't misuse them. Then you're left with garbage.

              • When practically every user fails to connect to your server, including your own people, you know you have a problem to fix. Creating some work for web site owners in the interest of their own security.

                In the real world, when a user updates his browser, and then can't access websites that he could access yesterday, he doesn't plow on a head, knowing that he's forcing some admin to make updates to their webserver, he rolls back the update, and then probably picks a new browser.

            • Yes. Because it will work on 90% of the websites the user uses, he will likely understand it's not his browser problem, it is a problem with the website in question. The browser should not indicate a secure connection to the website if the browser knows that the connection is in fact not secure. Seems pretty self evident.

      • by brunes69 ( 86786 ) <`gro.daetsriek' `ta' `todhsals'> on Tuesday October 14, 2014 @10:53PM (#48146653) Homepage

        In this case, Security is indeed not optional, since you have no option to have it whatsoever - you are handing all your security over to Chrome and the website operator's good intentions.

      • by SeaFox ( 739806 )

        Tick this box to break the internet? Those kinds of options just cause user frustration. Security should not be optional.

        How about those users not mess around with checkboxes if they don't know what they're doing to start with, leaving them for those people who do.
        That's the whole point of segregating settings into "basic" and "advanced" sections.

        This pandering-to-the-morons thing is starting to put all of us at risk.

    • by yuhong ( 1378501 )

      To be honest, I remember the Slashdot article that incorrectly suggested that SSL 2.0 and TLS 1.0 was affected by BEAST.

    • In the early days of Chrome I was a die hard fan due to simplicity and security over aesthetics...

      Not so much anymore.

      Which begs the question, why do they even bother to find these bugs?

      I mean the last straw for me was making the scrollbar microscopic. Did they ever stop to think that i'd rather use a scrollbar to jump back and forth on a page rather than my swiping my fingers?

    • Re: (Score:3, Informative)

      by XXeR ( 447912 )

      Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

      Add --ssl-version-min=tls1 as a command line flag. Check here for the way to do that, depending on your OS:

      http://www.chromium.org/for-te... [chromium.org]

    • by Anonymous Coward on Tuesday October 14, 2014 @09:13PM (#48146151)

      Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

      Still available, but more hidden:

      Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

      https://www.imperialviolet.org/2014/10/14/poodle.html

      • by rmstar ( 114746 )

        "We used to have an entry in the preferences for that but people thought that âoeSSL 3.0â was a higher version than âoeTLS 1.0â and would mistakenly disable the latter."

        And this, ladies and gentlemen, is why security is so hard. You have this chaotic ape in front of the keyboard making a mess of everything. Now excuse while I go fetch me a banana.

    • From agl: [imperialviolet.org]

      We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.

      "Chrome Users Dumbed Down" might have been a more apt title.

    • My company just banned Chrome anyway, because in the Nov. 7 version it will be reporting that there are errors with the 85% of HTTPS sites that don't use SHA-256 certificates.
  • Fuck It (Score:4, Informative)

    by sexconker ( 1179573 ) on Tuesday October 14, 2014 @08:10PM (#48145775)

    I have a million other things to deal with.
    I'll just run my shit against https://www.ssllabs.com/ssltes... [ssllabs.com] in a month and do what it tells me to.

  • by Vellmont ( 569020 ) on Tuesday October 14, 2014 @08:26PM (#48145845) Homepage

    The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore. I'm sure there's some special cases of embedded systems out there that rely on SSL3 only, but that's a small minority.

    So the question to me is, what would break if you disabled SSL3? Breaking the web for IE6 users happened a long, long time ago.

    • by yuhong ( 1378501 )

      If you absolutely have to use IE6, go to Internet Options's Advanced tab and check TLS 1.0 and while you are at it uncheck SSL 2.0. But of course the preferred solution is to upgrade and while you are it please also update to XP SP3 if you hasn't already. There is no WGA check in WinXP service pack in general, despite such misconceptions.

    • Wait... I can't use Netscape Communicator anymore?

      FOR SHAME.

    • According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.

      If we stop supporting SSL3, then the browsers won't be able to speak to those old broken servers...

      • According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.

        Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.

      • I think you missed my point. The point was about the implications of removing SSL3 from the server side. Many times you can't just simply change something on a webserver to fix one browser without breaking another.

        In this case, the effects seem to be minimal, and would only break IE6. That's not a problem in 2014, but would have been a major problem if this was discovered in 2007.

    • The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.

      I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.

      When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.

      Everyone saying "there are servers" or "there are clients" please name names and versions.

      • by Anonymous Coward

        There's a very high chance that in the very near future, the majority of websites you visit are going to refuse SSLv3.

        Been listening to a bridge call with Akamai. They're disabling SSLv3, TLS1.0, and TLS1.1 on their network as I type this.

        Some major websites have already disabled SSLv3 on their own (i.e. not waiting for the CDNs to do it).

        Akamai carries 30%-40% of the web traffic (globally). Their 'About' page says 30% but they were saying 40% at the conference last week.

        FWIW, White Hats are reporting live

      • Yes, it's possible for IE6 to use TLS 1.0. But it's not enabled by default. Since it's not on by default, it'll essentially be broken when users visit a site with SSL 3 disabled.

        I don't have an old IE6 machine to check myself, but I've found several references that say it's not on.

        https://news.ycombinator.com/i... [ycombinator.com]

  • by NotQuiteReal ( 608241 ) on Tuesday October 14, 2014 @08:28PM (#48145851) Journal
    Become a sesquipedalian - use fancy fonts, Bold, ALL CAPS, whatever it takes to be plaintext free!
    • by Anonymous Coward
      If you make your text Comic Sans MS it will look so dreadful, nobody would want to read it, hence more secure.
  • by Anonymous Coward

    If it doesn't support TLS 1, it isn't worth supporting.

  • Does anyone know what exactly "many clients implement a protocol downgrade dance" means? ... never heard of this ever... who exactly is doing this and what the hell are they thinking?

    Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.

    • by Anonymous Coward

      Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

      The problem comes in when the client tries to connect with TLS1.1 and Mr. MITM causes the connection to fail. Then it tries to connect with TLS1.0 and Mr. MITM causes the c

      • Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

        Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?

        This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"

        Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?

        If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who kn

    • by pathological liar ( 659969 ) on Tuesday October 14, 2014 @10:09PM (#48146385)

      The paper explains it.

      It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

      • It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

        There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.

        Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?

        I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.

      • The paper explains it.

        Desperately looking for names and versions.

        is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.

        Is this IOS? What versions?

        Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

        Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?

  • I am using IE10, it has effect?
    • by Anonymous Coward

      Depends on how you've configured it.

      By default, SSLv3 is enabled.

      Tools -> Internet Options -> Advanced -> Security

      A little background; SSLv2 got kicked to the curb a few years ago when the exploit named BEAST (it's a kind of Man in the Middle attack) hit the internet.

      BEAST created a big push to move to SSLv3

      SSLv3 and TLS1.0 are very similar,

      http://serverfault.com/questions/178561/what-are-the-exact-protocol-level-differences-between-ssl-and-tls

      SSLv3 and TLS1.0 are going to have the same issues w.r.

  • by Anonymous Coward

    Game on.

    Akamai is now blocking sslv3 'on their network.

    A few hours ago, the plan was to do this next week.

    Session keys are getting compromised in 32K guesses. 'Trivial' is the word they're using.

    Less than 60 seconds worth of traffic is all it takes.

  • Can someone tell me how to get Firefox to say which protocol it's using for any given session? The Security tab has a Technical Details section that mentions "High-grade Encryption" and TLS, but it doesn't say which version of TLS.

  • Easiest, one-click way to remove vulnerable SSL3 support from Firefox, while still allowing Mozilla to automatically enforce even safer defaults in future updates:

    the SSL Version Control add-on [mozilla.org].

Real Users hate Real Programmers.

Working...