Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Finds Vulnerability In SSL 3.0 Web Encryption

Posted by Soulskill on from the another-day-another-vuln dept.

AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

20 of 68 comments (clear)

  1. Chrome Dumbed Down by brunes69 · · Score: 4, Interesting

    Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

    1. Re:Chrome Dumbed Down by Anonymous Coward · · Score: 2, Insightful

      I'm confused, are you advocating security or compatibility.

    2. Re:Chrome Dumbed Down by XXeR · · Score: 3, Informative

      Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

      Add --ssl-version-min=tls1 as a command line flag. Check here for the way to do that, depending on your OS:

      http://www.chromium.org/for-te...

    3. Re:Chrome Dumbed Down by Anonymous Coward · · Score: 2, Insightful

      But the point is that "making your software secure out of the box" would mean making it fail to work with lots of existing websites. So are you suggesting, instead of giving the user a button to "break the web", just to permanently "break" it for them?

      Most users don't tend to appreciate that sort of thing, which is basically the entire problem of web security in a nutshell.

    4. Re:Chrome Dumbed Down by The+Ickle+Jones · · Score: 2

      Yeah, get rid of every feature so the willfully ignorant don't misuse them. Then you're left with garbage.

    5. Re:Chrome Dumbed Down by brunes69 · · Score: 4, Insightful

      In this case, Security is indeed not optional, since you have no option to have it whatsoever - you are handing all your security over to Chrome and the website operator's good intentions.

    6. Re:Chrome Dumbed Down by Fwipp · · Score: 4, Funny

      But you don't even use a mouse!

    7. Re:Chrome Dumbed Down by SeaFox · · Score: 2

      Tick this box to break the internet? Those kinds of options just cause user frustration. Security should not be optional.

      How about those users not mess around with checkboxes if they don't know what they're doing to start with, leaving them for those people who do.
      That's the whole point of segregating settings into "basic" and "advanced" sections.

      This pandering-to-the-morons thing is starting to put all of us at risk.

  2. Fuck It by sexconker · · Score: 3, Informative

    I have a million other things to deal with.
    I'll just run my shit against https://www.ssllabs.com/ssltes... in a month and do what it tells me to.

  3. How legacy is legacy? by Vellmont · · Score: 3, Interesting

    The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore. I'm sure there's some special cases of embedded systems out there that rely on SSL3 only, but that's a small minority.

    So the question to me is, what would break if you disabled SSL3? Breaking the web for IE6 users happened a long, long time ago.

    --
    AccountKiller
    1. Re:How legacy is legacy? by yuhong · · Score: 2

      If you absolutely have to use IE6, go to Internet Options's Advanced tab and check TLS 1.0 and while you are at it uncheck SSL 2.0. But of course the preferred solution is to upgrade and while you are it please also update to XP SP3 if you hasn't already. There is no WGA check in WinXP service pack in general, despite such misconceptions.

    2. Re:How legacy is legacy? by MachineShedFred · · Score: 2

      Wait... I can't use Netscape Communicator anymore?

      FOR SHAME.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    3. Re:How legacy is legacy? by WaffleMonster · · Score: 2

      According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.

      Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.

    4. Re:How legacy is legacy? by WaffleMonster · · Score: 2

      The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.

      I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.

      When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.

      Everyone saying "there are servers" or "there are clients" please name names and versions.

  4. Don't use plaintext by NotQuiteReal · · Score: 4, Funny

    Become a sesquipedalian - use fancy fonts, Bold, ALL CAPS, whatever it takes to be plaintext free!

    --
    This issue is a bit more complicated than you think.
  5. Chrome and disabling SSLv3 by Anonymous Coward · · Score: 4, Informative

    Too bad Google removed the options to enable or disable SSL versions from Chrome some time ago, in an effort to further dumb down the browser. The options used to be under "advanced, but they aren't anymore. Not even available under about:flags.

    Still available, but more hidden:

    Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. (We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.)

    https://www.imperialviolet.org/2014/10/14/poodle.html

    1. Re:Chrome and disabling SSLv3 by rmstar · · Score: 2

      "We used to have an entry in the preferences for that but people thought that âoeSSL 3.0â was a higher version than âoeTLS 1.0â and would mistakenly disable the latter."

      And this, ladies and gentlemen, is why security is so hard. You have this chaotic ape in front of the keyboard making a mess of everything. Now excuse while I go fetch me a banana.

  6. Er, they mentioned that by pathological+liar · · Score: 2

    From agl:

    We used to have an entry in the preferences for that but people thought that “SSL 3.0” was a higher version than “TLS 1.0” and would mistakenly disable the latter.

    "Chrome Users Dumbed Down" might have been a more apt title.

  7. Re:Stuck between a rock and noplace by pathological+liar · · Score: 4, Informative

    The paper explains it.

    It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

  8. Re:Stuck between a rock and noplace by WaffleMonster · · Score: 2

    Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.

    This does not make any sense. A mitigation that does not work is not worth anything.

    Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0

    What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?