Google Finds Vulnerability In SSL 3.0 Web Encryption 68
AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes,
SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Chrome Dumbed Down (Score:5, Interesting)
Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.
Re: (Score:2, Interesting)
Re: (Score:2, Insightful)
I'm confused, are you advocating security or compatibility.
Re: (Score:1)
Giving the user a browser option that will break compatibility with some web sites, adds more bug / support effort to work out what the user actually did. For most users, giving them an option like this is only going to cause you trouble later.
If you have too many configuration options, nobody will test every permutation to check that they actually work. Since we're talking about web browsers, most of that testing burden would fall on web site developers.
Having an option for a security setting may allow y
Re: (Score:2, Insightful)
But the point is that "making your software secure out of the box" would mean making it fail to work with lots of existing websites. So are you suggesting, instead of giving the user a button to "break the web", just to permanently "break" it for them?
Most users don't tend to appreciate that sort of thing, which is basically the entire problem of web security in a nutshell.
Re: (Score:2, Insightful)
In this case, the new browser software version will break any server that only supports SSL3.0. When practically every user fails to connect to your server, including your own people, you know you have a problem to fix. Creating some work for web site owners in the interest of their own security.
I'm saying that if you gave the users the option of breaking some of the web, some small percentage of users would do it without understanding the consequences. This creates a situation that is much harder to deal
Re: (Score:2)
Yeah, get rid of every feature so the willfully ignorant don't misuse them. Then you're left with garbage.
Re: (Score:2)
When practically every user fails to connect to your server, including your own people, you know you have a problem to fix. Creating some work for web site owners in the interest of their own security.
In the real world, when a user updates his browser, and then can't access websites that he could access yesterday, he doesn't plow on a head, knowing that he's forcing some admin to make updates to their webserver, he rolls back the update, and then probably picks a new browser.
Re: (Score:2)
Yes. Because it will work on 90% of the websites the user uses, he will likely understand it's not his browser problem, it is a problem with the website in question. The browser should not indicate a secure connection to the website if the browser knows that the connection is in fact not secure. Seems pretty self evident.
Re:Chrome Dumbed Down (Score:5, Insightful)
In this case, Security is indeed not optional, since you have no option to have it whatsoever - you are handing all your security over to Chrome and the website operator's good intentions.
Re: (Score:3)
Tick this box to break the internet? Those kinds of options just cause user frustration. Security should not be optional.
How about those users not mess around with checkboxes if they don't know what they're doing to start with, leaving them for those people who do.
That's the whole point of segregating settings into "basic" and "advanced" sections.
This pandering-to-the-morons thing is starting to put all of us at risk.
Re: (Score:1)
To be honest, I remember the Slashdot article that incorrectly suggested that SSL 2.0 and TLS 1.0 was affected by BEAST.
Re: (Score:1)
In the early days of Chrome I was a die hard fan due to simplicity and security over aesthetics...
Not so much anymore.
Which begs the question, why do they even bother to find these bugs?
I mean the last straw for me was making the scrollbar microscopic. Did they ever stop to think that i'd rather use a scrollbar to jump back and forth on a page rather than my swiping my fingers?
Re: (Score:2)
Re:Chrome Dumbed Down (Score:5, Funny)
But you don't even use a mouse!
Re: (Score:3, Informative)
Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.
Add --ssl-version-min=tls1 as a command line flag. Check here for the way to do that, depending on your OS:
http://www.chromium.org/for-te... [chromium.org]
Chrome and disabling SSLv3 (Score:4, Informative)
Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.
Still available, but more hidden:
Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)
https://www.imperialviolet.org/2014/10/14/poodle.html
Re: (Score:3)
And this, ladies and gentlemen, is why security is so hard. You have this chaotic ape in front of the keyboard making a mess of everything. Now excuse while I go fetch me a banana.
Er, they mentioned that (Score:3)
From agl: [imperialviolet.org]
"Chrome Users Dumbed Down" might have been a more apt title.
Re: (Score:2)
"User dumb" covers the situation much more succinctly.
Re: (Score:2)
Fuck It (Score:4, Informative)
I have a million other things to deal with.
I'll just run my shit against https://www.ssllabs.com/ssltes... [ssllabs.com] in a month and do what it tells me to.
How legacy is legacy? (Score:4, Interesting)
The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore. I'm sure there's some special cases of embedded systems out there that rely on SSL3 only, but that's a small minority.
So the question to me is, what would break if you disabled SSL3? Breaking the web for IE6 users happened a long, long time ago.
Re: (Score:3)
If you absolutely have to use IE6, go to Internet Options's Advanced tab and check TLS 1.0 and while you are at it uncheck SSL 2.0. But of course the preferred solution is to upgrade and while you are it please also update to XP SP3 if you hasn't already. There is no WGA check in WinXP service pack in general, despite such misconceptions.
Re: (Score:3)
Wait... I can't use Netscape Communicator anymore?
FOR SHAME.
Re: (Score:2)
According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.
If we stop supporting SSL3, then the browsers won't be able to speak to those old broken servers...
Re: (Score:3)
According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.
Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.
Re: (Score:2)
I think you missed my point. The point was about the implications of removing SSL3 from the server side. Many times you can't just simply change something on a webserver to fix one browser without breaking another.
In this case, the effects seem to be minimal, and would only break IE6. That's not a problem in 2014, but would have been a major problem if this was discovered in 2007.
Re: (Score:3)
The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.
I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.
When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.
Everyone saying "there are servers" or "there are clients" please name names and versions.
SSLv3 and TLS1.0 are very similar (Score:1)
There's a very high chance that in the very near future, the majority of websites you visit are going to refuse SSLv3.
Been listening to a bridge call with Akamai. They're disabling SSLv3, TLS1.0, and TLS1.1 on their network as I type this.
Some major websites have already disabled SSLv3 on their own (i.e. not waiting for the CDNs to do it).
Akamai carries 30%-40% of the web traffic (globally). Their 'About' page says 30% but they were saying 40% at the conference last week.
FWIW, White Hats are reporting live
Re: (Score:2)
Yes, it's possible for IE6 to use TLS 1.0. But it's not enabled by default. Since it's not on by default, it'll essentially be broken when users visit a site with SSL 3 disabled.
I don't have an old IE6 machine to check myself, but I've found several references that say it's not on.
https://news.ycombinator.com/i... [ycombinator.com]
Don't use plaintext (Score:5, Funny)
Re: (Score:1)
subject (Score:1)
If it doesn't support TLS 1, it isn't worth supporting.
Stuck between a rock and noplace (Score:2)
Does anyone know what exactly "many clients implement a protocol downgrade dance" means? ... never heard of this ever... who exactly is doing this and what the hell are they thinking?
Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.
Re: (Score:1)
Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.
The problem comes in when the client tries to connect with TLS1.1 and Mr. MITM causes the connection to fail. Then it tries to connect with TLS1.0 and Mr. MITM causes the c
Re: (Score:2)
Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.
Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?
This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"
Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?
If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who kn
Re:Stuck between a rock and noplace (Score:5, Informative)
The paper explains it.
It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
Re: (Score:2)
It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.
Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?
I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.
Re: (Score:3)
Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.
This does not make any sense. A mitigation that does not work is not worth anything.
Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0
What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?
Re: (Score:2)
Disabling SSLv3 does nothing for future attacks; but the other measures we are putting in place will.
The problem is non standards complaint behavior of web browsers willfully subverting downgrade attack prevention features baked into SSL/TLS standards.
The downgrade SCSV will let a server detect a downgrade attack, or incorrect version fallback.
This requires both servers and clients to support it and associated propagation throughout the worlds server and client stacks to be at all effective. SCSV is not even an RFC.
Why leave people exposed in this manner? What good is TLS 1.2 deployment and fancy new AHEAD ciphers when any yahoo can come along and force affected browsers to TLS v1... What is the
Re: (Score:2)
Can you link to the documentation for this? I'm too lazy to search for it right now. :)
Re: (Score:2)
The paper explains it.
Desperately looking for names and versions.
is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.
Is this IOS? What versions?
Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.
Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?
IE 10 (Score:1)
Re: (Score:1)
Depends on how you've configured it.
By default, SSLv3 is enabled.
Tools -> Internet Options -> Advanced -> Security
A little background; SSLv2 got kicked to the curb a few years ago when the exploit named BEAST (it's a kind of Man in the Middle attack) hit the internet.
BEAST created a big push to move to SSLv3
SSLv3 and TLS1.0 are very similar,
http://serverfault.com/questions/178561/what-are-the-exact-protocol-level-differences-between-ssl-and-tls
SSLv3 and TLS1.0 are going to have the same issues w.r.
Re: (Score:1)
Yes, if your client falls back to SSLv3.
Re: (Score:2)
Yes, if your client falls back to SSLv3.
Please don't confuse browser "dancing" behavior with SSL version negotiation. Clients and servers can support both SSL v3 and TLS 1.2 without danger of being suckered into SSL v3.
Akamai is blocking sslv3 starting now (Score:1)
Game on.
Akamai is now blocking sslv3 'on their network.
A few hours ago, the plan was to do this next week.
Session keys are getting compromised in 32K guesses. 'Trivial' is the word they're using.
Less than 60 seconds worth of traffic is all it takes.
Which protocol is in use right now? (Score:2)
Can someone tell me how to get Firefox to say which protocol it's using for any given session? The Security tab has a Technical Details section that mentions "High-grade Encryption" and TLS, but it doesn't say which version of TLS.
How to disable SSL3 in Firefox (Score:2)
Easiest, one-click way to remove vulnerable SSL3 support from Firefox, while still allowing Mozilla to automatically enforce even safer defaults in future updates:
the SSL Version Control add-on [mozilla.org].