![Page 1: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/1.jpg)
SSL Poodle
Gavriliţă CristianCebanu Ghenadie
![Page 2: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/2.jpg)
Contents
• History• Vulnerability description• Example• Remedies• Bibliography
![Page 3: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/3.jpg)
History
• "Padding Oracle On Downgraded Legacy Encryption“
• CVE-2014-3556
• September, 2014
• Bodo Möller, Thai Duong, Krzysztof Kotowicz
• Google Security Team
![Page 4: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/4.jpg)
Vulnerability Description
• It’s not an implementation vulnerability• It’s a design vulnerability• SSLv3 is affected with CBC encryption
![Page 5: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/5.jpg)
Attack conditions
• Padding-ul ocupă un bloc întreg (criptat în C n).• Primul byte din cookie încă necunoscut, apare
ca un ultim byte într-un bloc anterior (criptat ca şi Cj)
![Page 6: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/6.jpg)
Core Point
• SSL 3.0 is defined as ignoring the padding bytes (except the last). These bytes are not covered by the MAC and don't have any defined value
• TLS 1.0 is not vulnerable because in TLS 1.0, the protocol specifies that all padding bytes must have the same value, and libraries implementing TLS verify that these bytes have the expected values.
![Page 7: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/7.jpg)
CBC encryption
![Page 8: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/8.jpg)
CBC decryption
![Page 9: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/9.jpg)
Practical attack
• The main and about only plausible scenario where such conditions are met is a Web context: the attacker runs a fake WiFi access point, and injects some Javascript of their own as part of a Web page (HTTP, not HTTPS) that the victim browses. The evil Javascript makes the browser send requests to a HTTPS site (say, a bank Web site) for which the victim's browser has a cookie. The attacker wants that cookie.
![Page 10: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/10.jpg)
Remedies (Client side)• Firefox users can type about:config into their address bar and then
security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1.
![Page 11: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/11.jpg)
Remedies (Client side)
• On Chrome you can add the command line flag --ssl-version-min=tls1
![Page 12: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/12.jpg)
Remedies (Client side)
• Fixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the Advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it
![Page 13: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/13.jpg)
Remedies (Server side)
• Ngnix– ssl_protocols TLSv1 TLSv1.1 TLSv1.2– sudo nginx –t – sudo service nginx restart
![Page 14: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/14.jpg)
Remedies (Server side)
• HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
![Page 15: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/15.jpg)
Remedies (Server side)
• Apache– SSLProtocol All -SSLv2 -SSLv3– apachectl configtest– sudo service apache2 restart
![Page 16: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/16.jpg)
TLS_FALLBACK_SCSV
• TLS_FALBACK_SCSV • innapropriate_fallback
![Page 17: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/17.jpg)
SSL3 protocol check in TOP 20 banks
• 2 Weeks after announcement of SSL Poodle vulnerability
• http://www.ssllabs.com/• From 20 analyzed bank:– 15 didn’t closed SSL3;– 2 used only SSL3;– 3 closed SSL3 completely;– 2 closed SSL3 only for individual persons;
![Page 18: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/18.jpg)
www.info.uaic.ro
![Page 19: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/19.jpg)
Conclusions
• SSLv3 - 1/256 (2-8)
• TLS 1/18446744073709551616 (2-64)
![Page 20: SSL Poodle Gavriliţ ă Cristian Cebanu Ghenadie. Contents History Vulnerability description Example Remedies Bibliography](https://reader035.vdocument.in/reader035/viewer/2022071806/56649d355503460f94a0bf0d/html5/thumbnails/20.jpg)
• [1] This Poodle Bites: Exploiting the SSL 3.0 Fallback, Bodo Moller, Thai Duong, Krzysztof Kotowicz, Google, Septembrie 2014
• [2] SSL V3 goes to the dogs - Poodle kills off protocol, https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
• [3] http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
• [4] http://habrahabr.ru/company/mailru/blog/241113/• [5] http://habrahabr.ru/company/first/blog/242493/• [6] https://support.microsoft.com/kb/187498/en-us