Month: October 2014
Browser vendors scrapping SSLv3 in wake of poodle attack
With the latest finding from Google researchers , browser vendors are scrapping SSLv3 in wake of poodle attacks. For more information on poodle attack check this link https://www.technix.in/sslv3-poodle-attack/.
Officials at mozilla has confirmed in a blog post that only 0.3% of https connection with Firefox uses SSLv3. They are planning to remove fully SSLv3 in the upcoming release of Firefox 34 and is expected to be released by November 25. The code to disable it is landing to in the nightly releases. And as an additional precaution, Firefox35 will support a generic TLS downgrade mechanism known as SCSV. if this is supported by the server, it prevents attacks that rely on insecure fallback.
Google security officials said that Chrome has supported the SCSV mechanism since February, but warned that disabling SSLv3 will cause problems for site owners who still support the protocol.
“Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks,” said Bodo Möller, one of the Google researchers who developed the attack.
“Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.”
Microsoft issued an advisory about the POODLE attack on Tuesday but didn’t announce any specific plans for disabling the protocol in Windows or Internet Explorer. IE 6, an ancient version of the company’s browser, is the only major browser that doesn’t support anything newer than SSLv3.
“This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers,” Microsoft’s advisory says.
SSLv3 – Poodle Attack
Researchers at Google has discover a new attack on the SSLv3 protocol, which takes advantage of an issue with the protocol that enables a network attacker to recover the plain text communications of the victim.
The attack is known as POODLE. The technique takes advantage of the fact that when a secure communication attempts fails, servers will fall back to older protocols such as SSLv3, in an attempt to continue communication with the remote client/server. An attacker who can trigger a connection failure can then force the use of SSLv3 and attempt the attack.
The easiest fix for the attack is to disable SSLv3, but that has compatibility implications for browsers especially older ones. Recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevent attackers from inducing browsers to use SSLv3. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0.
This new attacks affects a wide range of software, including OpenSSL.
Firefox is planning to turn of SSLv3. As per firefox updates there is only 0.3% of https uses SSLv3. An SSLv3 will be disabled by default in Firefox34 which is expected to release on Nov 25.