October 15, 2014

By Norman Yue ( LinkedIn )

For those of you paying attention to mailing lists early last night, you may have noticed a curious email come through, regarding a “Truly scary” SSL3.0 vulnerability about to drop – and drop it did today.

The vulnerability, known as POODLE , allows attackers to partially decipher bits of plaintext, such as session cookies, in conjunction with a man-in-the-middle attack where an attacker can modify traffic. The really scary part (imo) is on Page 3 of the whitepaper:

The expected overall effort is 256 SSL 3.0 requests per byte.

This is amazingly low, meaning that depending on the circumstances of exploitation, your typical web app session cookie can be broken in minutes.

In the words of the researchers who discovered this issue, “there is no reasonable workaround”. That said, this isn’t a straightforward “patch now” issue. SSL3 support is often required to support older browsers, and we all know there’s plenty of organisations where browsers like IE6 are still in use.

We suggest you review your Internet-facing assets, configure the ones you can to not support SSLv3, and come up with a plan of action to address the ones you can’t. Similar to other SSL-based vulnerabilities as of late, it’s important to remember that this does not only affect your web server[s], though other services may be more or less difficult to exploit.

If you’re not sure if your services are vulnerable, you can try using SSL Labs , or for maximum irony, PoodleScan (it’s over HTTP).

For users, please stop using IE6.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *