Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Finds Vulnerability In SSL 3.0 Web Encryption

Posted by Soulskill on from the another-day-another-vuln dept.

AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

48 of 68 comments (clear)

  1. Chrome Dumbed Down by brunes69 · · Score: 4, Interesting

    Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

    1. Re:Chrome Dumbed Down by complete+loony · · Score: 1, Interesting

      Tick this box to break the internet? Those kinds of options just cause user frustration. Security should not be optional.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:Chrome Dumbed Down by Anonymous Coward · · Score: 2, Insightful

      I'm confused, are you advocating security or compatibility.

    3. Re:Chrome Dumbed Down by Famak1994 · · Score: 1

      In the early days of Chrome I was a die hard fan due to simplicity and security over aesthetics...

      Not so much anymore.

      Which begs the question, why do they even bother to find these bugs?

      I mean the last straw for me was making the scrollbar microscopic. Did they ever stop to think that i'd rather use a scrollbar to jump back and forth on a page rather than my swiping my fingers?

    4. Re:Chrome Dumbed Down by XXeR · · Score: 3, Informative

      Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

      Add --ssl-version-min=tls1 as a command line flag. Check here for the way to do that, depending on your OS:

      http://www.chromium.org/for-te...

    5. Re:Chrome Dumbed Down by Anonymous Coward · · Score: 2, Insightful

      But the point is that "making your software secure out of the box" would mean making it fail to work with lots of existing websites. So are you suggesting, instead of giving the user a button to "break the web", just to permanently "break" it for them?

      Most users don't tend to appreciate that sort of thing, which is basically the entire problem of web security in a nutshell.

    6. Re:Chrome Dumbed Down by complete+loony · · Score: 1, Insightful

      In this case, the new browser software version will break any server that only supports SSL3.0. When practically every user fails to connect to your server, including your own people, you know you have a problem to fix. Creating some work for web site owners in the interest of their own security.

      I'm saying that if you gave the users the option of breaking some of the web, some small percentage of users would do it without understanding the consequences. This creates a situation that is much harder to deal with. If users report the problem to web site owners, or browser vendors, tracing the source of the problem is more difficult.

      This is the same reason that Firefox no longer has a prominent option to disable Javascript. Users would disable it, then complain that web sites don't work without telling anyone that they had changed anything. The cost of supporting that option was too high.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    7. Re:Chrome Dumbed Down by The+Ickle+Jones · · Score: 2

      Yeah, get rid of every feature so the willfully ignorant don't misuse them. Then you're left with garbage.

    8. Re:Chrome Dumbed Down by Teresita · · Score: 1

      What drives me nuts is the low contrast in the scrollbar, I can barely see where the "elevator" is so I can grab it. Damn kids these days...

    9. Re:Chrome Dumbed Down by Velox_SwiftFox · · Score: 1

      My company just banned Chrome anyway, because in the Nov. 7 version it will be reporting that there are errors with the 85% of HTTPS sites that don't use SHA-256 certificates.

    10. Re:Chrome Dumbed Down by brunes69 · · Score: 4, Insightful

      In this case, Security is indeed not optional, since you have no option to have it whatsoever - you are handing all your security over to Chrome and the website operator's good intentions.

    11. Re:Chrome Dumbed Down by Fwipp · · Score: 4, Funny

      But you don't even use a mouse!

    12. Re:Chrome Dumbed Down by jader3rd · · Score: 1

      When practically every user fails to connect to your server, including your own people, you know you have a problem to fix. Creating some work for web site owners in the interest of their own security.

      In the real world, when a user updates his browser, and then can't access websites that he could access yesterday, he doesn't plow on a head, knowing that he's forcing some admin to make updates to their webserver, he rolls back the update, and then probably picks a new browser.

    13. Re:Chrome Dumbed Down by SeaFox · · Score: 2

      Tick this box to break the internet? Those kinds of options just cause user frustration. Security should not be optional.

      How about those users not mess around with checkboxes if they don't know what they're doing to start with, leaving them for those people who do.
      That's the whole point of segregating settings into "basic" and "advanced" sections.

      This pandering-to-the-morons thing is starting to put all of us at risk.

    14. Re:Chrome Dumbed Down by KingMotley · · Score: 1

      Yes. Because it will work on 90% of the websites the user uses, he will likely understand it's not his browser problem, it is a problem with the website in question. The browser should not indicate a secure connection to the website if the browser knows that the connection is in fact not secure. Seems pretty self evident.

  2. Fuck It by sexconker · · Score: 3, Informative

    I have a million other things to deal with.
    I'll just run my shit against https://www.ssllabs.com/ssltes... in a month and do what it tells me to.

  3. How legacy is legacy? by Vellmont · · Score: 3, Interesting

    The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore. I'm sure there's some special cases of embedded systems out there that rely on SSL3 only, but that's a small minority.

    So the question to me is, what would break if you disabled SSL3? Breaking the web for IE6 users happened a long, long time ago.

    --
    AccountKiller
    1. Re:How legacy is legacy? by yuhong · · Score: 2

      If you absolutely have to use IE6, go to Internet Options's Advanced tab and check TLS 1.0 and while you are at it uncheck SSL 2.0. But of course the preferred solution is to upgrade and while you are it please also update to XP SP3 if you hasn't already. There is no WGA check in WinXP service pack in general, despite such misconceptions.

    2. Re:How legacy is legacy? by MachineShedFred · · Score: 2

      Wait... I can't use Netscape Communicator anymore?

      FOR SHAME.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    3. Re:How legacy is legacy? by stoborrobots · · Score: 1

      According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.

      If we stop supporting SSL3, then the browsers won't be able to speak to those old broken servers...

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    4. Re:How legacy is legacy? by WaffleMonster · · Score: 2

      According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.

      Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.

    5. Re:How legacy is legacy? by WaffleMonster · · Score: 2

      The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.

      I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.

      When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.

      Everyone saying "there are servers" or "there are clients" please name names and versions.

    6. Re:How legacy is legacy? by Vellmont · · Score: 1

      I think you missed my point. The point was about the implications of removing SSL3 from the server side. Many times you can't just simply change something on a webserver to fix one browser without breaking another.

      In this case, the effects seem to be minimal, and would only break IE6. That's not a problem in 2014, but would have been a major problem if this was discovered in 2007.

      --
      AccountKiller
    7. Re:How legacy is legacy? by Vellmont · · Score: 1

      Yes, it's possible for IE6 to use TLS 1.0. But it's not enabled by default. Since it's not on by default, it'll essentially be broken when users visit a site with SSL 3 disabled.

      I don't have an old IE6 machine to check myself, but I've found several references that say it's not on.

      https://news.ycombinator.com/i...

      --
      AccountKiller
  4. Don't use plaintext by NotQuiteReal · · Score: 4, Funny

    Become a sesquipedalian - use fancy fonts, Bold, ALL CAPS, whatever it takes to be plaintext free!

    --
    This issue is a bit more complicated than you think.
    1. Re:Don't use plaintext by Anonymous Coward · · Score: 1

      If you make your text Comic Sans MS it will look so dreadful, nobody would want to read it, hence more secure.

  5. subject by Anonymous Coward · · Score: 1

    If it doesn't support TLS 1, it isn't worth supporting.

  6. Chrome and disabling SSLv3 by Anonymous Coward · · Score: 4, Informative

    Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

    Still available, but more hidden:

    Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

    https://www.imperialviolet.org/2014/10/14/poodle.html

    1. Re:Chrome and disabling SSLv3 by rmstar · · Score: 2

      "We used to have an entry in the preferences for that but people thought that âoeSSL 3.0â was a higher version than âoeTLS 1.0â and would mistakenly disable the latter."

      And this, ladies and gentlemen, is why security is so hard. You have this chaotic ape in front of the keyboard making a mess of everything. Now excuse while I go fetch me a banana.

  7. Stuck between a rock and noplace by WaffleMonster · · Score: 1

    Does anyone know what exactly "many clients implement a protocol downgrade dance" means? ... never heard of this ever... who exactly is doing this and what the hell are they thinking?

    Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.

    1. Re:Stuck between a rock and noplace by Anonymous Coward · · Score: 1

      Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

      The problem comes in when the client tries to connect with TLS1.1 and Mr. MITM causes the connection to fail. Then it tries to connect with TLS1.0 and Mr. MITM causes the connection to fail. Then it tries to connect with SSL3 and Mr. MITM lets the connection through because Mr. MITM can read SSL3 traffic.

      This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"

      BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying "This site uses encryption I can't handle, upgrade now? [Yes] [Yes]" it popped up a window saying "this site is shit and you're shit for wanting to look at it." so the server admins shut it off, because what were they going to do, put a page on their site saying "You can only read this page with the list of supported browser versions if you have a supported browser"?

    2. Re:Stuck between a rock and noplace by pathological+liar · · Score: 4, Informative

      The paper explains it.

      It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

    3. Re:Stuck between a rock and noplace by WaffleMonster · · Score: 1

      It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

      There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.

      Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?

      I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.

    4. Re:Stuck between a rock and noplace by WaffleMonster · · Score: 2

      Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.

      This does not make any sense. A mitigation that does not work is not worth anything.

      Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0

      What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?

    5. Re:Stuck between a rock and noplace by WaffleMonster · · Score: 1

      Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

      Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?

      This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"

      Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?

      If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.

      BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying

      Please name names what browsers?

    6. Re:Stuck between a rock and noplace by WaffleMonster · · Score: 1

      The paper explains it.

      Desperately looking for names and versions.

      is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.

      Is this IOS? What versions?

      Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

      Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?

    7. Re:Stuck between a rock and noplace by Foresto · · Score: 1

      Can you link to the documentation for this? I'm too lazy to search for it right now. :)

    8. Re:Stuck between a rock and noplace by WaffleMonster · · Score: 1

      Disabling SSLv3 does nothing for future attacks; but the other measures we are putting in place will.

      The problem is non standards complaint behavior of web browsers willfully subverting downgrade attack prevention features baked into SSL/TLS standards.

      The downgrade SCSV will let a server detect a downgrade attack, or incorrect version fallback.

      This requires both servers and clients to support it and associated propagation throughout the worlds server and client stacks to be at all effective. SCSV is not even an RFC.

      Why leave people exposed in this manner? What good is TLS 1.2 deployment and fancy new AHEAD ciphers when any yahoo can come along and force affected browsers to TLS v1... What is the compatibility based reason for continuing this behavior when SSL v3 is being disabled in new browsers anyway? Please name names.

      As with many things, there is a balance to be struck. Disabling SSLv3 a year ago would have affected a lot of sites, including major commerce and banking sites, and it's not always an easy fix with aging infrastructure and long supply chains for equipment.

      What balance? What are the tradeoffs? Nobody seems to know. What is on the other side of the ledger to serve as a counterweight to allowing downgrade attacks to persist in 2014 and why does everyone need to bear that risk by DEFAULT?

  8. Er, they mentioned that by pathological+liar · · Score: 2

    From agl:

    We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.

    "Chrome Users Dumbed Down" might have been a more apt title.

    1. Re:Er, they mentioned that by KozmoStevnNaut · · Score: 1

      "User dumb" covers the situation much more succinctly.

      --
      Eat the rich.
  9. IE 10 by shgvietnam9593 · · Score: 1

    I am using IE10, it has effect?

    --
    www.shg.com.vn
    1. Re:IE 10 by Anonymous Coward · · Score: 1

      Depends on how you've configured it.

      By default, SSLv3 is enabled.

      Tools -> Internet Options -> Advanced -> Security

      A little background; SSLv2 got kicked to the curb a few years ago when the exploit named BEAST (it's a kind of Man in the Middle attack) hit the internet.

      BEAST created a big push to move to SSLv3

      SSLv3 and TLS1.0 are very similar,

      http://serverfault.com/questions/178561/what-are-the-exact-protocol-level-differences-between-ssl-and-tls

      SSLv3 and TLS1.0 are going to have the same issues w.r.t. these BEAST-like attacks.

      Try un-selecting the check boxes for anything other than TLS1.2. Some sites will not work. They'll kick up an error message. If you can't live with that behavior, start enabling the 'weaker' TLS1.1 version (in addition to TLS1.2).

      So sites (I'm looking at you outlook.com) will not work unless you enable TLS1.0 (or SSLv3 (of course, since it's so close to TLS1.0)).

  10. Akamai is blocking sslv3 starting now by Anonymous Coward · · Score: 1

    Game on.

    Akamai is now blocking sslv3 'on their network.

    A few hours ago, the plan was to do this next week.

    Session keys are getting compromised in 32K guesses. 'Trivial' is the word they're using.

    Less than 60 seconds worth of traffic is all it takes.

  11. Re:POP/IMAP/SMTP? by Anonymous Coward · · Score: 1

    Yes, if your client falls back to SSLv3.

  12. SSLv3 and TLS1.0 are very similar by Anonymous Coward · · Score: 1

    There's a very high chance that in the very near future, the majority of websites you visit are going to refuse SSLv3.

    Been listening to a bridge call with Akamai. They're disabling SSLv3, TLS1.0, and TLS1.1 on their network as I type this.

    Some major websites have already disabled SSLv3 on their own (i.e. not waiting for the CDNs to do it).

    Akamai carries 30%-40% of the web traffic (globally). Their 'About' page says 30% but they were saying 40% at the conference last week.

    FWIW, White Hats are reporting live exploits. They're using the word 'trivial'. It takes less than 60 seconds of traffic to bust a session.

  13. Re:POP/IMAP/SMTP? by WaffleMonster · · Score: 1

    Yes, if your client falls back to SSLv3.

    Please don't confuse browser "dancing" behavior with SSL version negotiation. Clients and servers can support both SSL v3 and TLS 1.2 without danger of being suckered into SSL v3.

  14. Which protocol is in use right now? by Foresto · · Score: 1

    Can someone tell me how to get Firefox to say which protocol it's using for any given session? The Security tab has a Technical Details section that mentions "High-grade Encryption" and TLS, but it doesn't say which version of TLS.

  15. How to disable SSL3 in Firefox by Giorgio+Maone · · Score: 1

    Easiest, one-click way to remove vulnerable SSL3 support from Firefox, while still allowing Mozilla to automatically enforce even safer defaults in future updates:

    the SSL Version Control add-on.

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript