When you access high profile sites and services such as your bank, Twitter or Google you typically access sites using https:// or a feature called SSL (secure sockets layer) but a new security defect could break that open. SSL or TLS (Transport Layer Security) provides encryption to protect your information from being intercepted, spied upon or modified by attackers in between you and the service provider. This widely used technology is what prevents someone sat next you in Starbucks from watching your transactions as you access your Internet banking and is also frequently used when accessing your e-mail account to stop your username and password disappearing in to the hands of cyber criminals. Simply put SSL is a core component of security, privacy and trust on the Internet. Great though all that sounds unfortunately many sites still fail to adhere to best practice and many don’t implement these security features at all leaving information open to interception. Even those which do try to do the right thing can have significant setbacks due to implementation failures or security vulnerabilities. That is precisely what has happened with the new, cutely named, but very nasty POODLE vulnerability.
SSL has a number of different versions and which you support is important from a security standpoint. Backwards compatibility with older versions can get you in real trouble and you can see a wonderfully detailed breakout of the features of each version and timelines here. The POODLE vulnerability impacts SSL version 3 and under the right conditions would allow an attacker to gain access to information that would let them take over your account. For example, the flaw may enable an attacker to gain access to session tokens or credentials so they can hijack the identify of another user. The vulnerability, discovered by Google security researchers Thai Duong, Bodo Moller and Krzysztof Kotowiczis is fully outlined in this paper and makes interesting reading. Geeky bit: the attack is essentially an oracle padding attack in CBC (cipher block chaining which uses output of previous blocks as input to the next block processing to prevent duplicate blocks of data producing identical cipher text blocks) mode ciphers in SSLv3.
For the attack to work the attacker must be on the same wireless network (or in the path of your communications) and your client must be running Javascript (such as in a web browser) which makes the attack less all out serious than vulnerabilities like Heartbleed. This attack is effective against clients (as opposed to servers like with Heartbleed or Shellshocked) and so is of the greatest concern to users browsing on wireless hotspots where others may be listening but is sufficiently serious that Twitter has announced they have entirely disabled SSLv3.
<< What you should do >>
You may be able to force your browser to disable SSL version 3. The methods vary, but for example in Firefox you can type the special URL about:config and change the setting security.tls.version.min to 1:
Some browsers allow you to do this where others like Safari can pose quite a challenge. A more complete fix is on the way (for those that want to read more check out TLS_FALLBACK_SCSV) but for the moment disabling it is a good move. If you want to check if your browser is vulnerable you can try https://www.poodletest.com which shows you a trendy looking poodle if you are open to the attack. Using a VPN client to protect all your network traffic on open networks will also prevent attackers launching the attack (as long as it is not an SSL VPN that uses SSLv3).
If you are a business and host services there are steps you can take to prevent your users being attacked too. Users accessing your services from open wireless networks are the most at risk. To mitigate this risk you can simply disable SSLv3 in favour of more recent standards such as TLS1, 1.1 or 1.2. Unfortunately some platforms and operating systems do not support the more recent standards. Older versions of Internet Explorer (such as the one in the older, no longer supported but still regrettably widely used Windows XP) only support SSLv3 as is the case for numerous other apps and pieces of software. If you are in the position of using software that only supports these standards you should undoubtedly look at upgrading, not just because of this vulnerability but because that software most likely has other serious defects too. If you run a web server and want to make sure you have your transport security ducks in a row you can check out this guide or you can check how your site scores using this neat tool.
This defect certainly is not another Heartbleed (as undoubtedly it will shortly be dubbed) but it is a failure in widely used technology that is a key component of your security.
Reference:
POODLE Security Vulnerability Breaks SSLv3 Secure Browsing
http://www.forbes.com/sites/jameslyne/2014/10/15/poodle-security-vulnerability-breaks-sslv3-secure-browsing/
No comments:
Post a Comment