Announcement Announcement Module
Collapse
No announcement yet.
SSLv3/TLS Sniffer POODLE vulnarability Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSLv3/TLS Sniffer POODLE vulnarability

    Security researchers have discovered a vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites. Miscreants can exploit a weakness in the protocol's design to grab victims' session cookies, which are used for logging into webmail and other online accounts over HTTPS.
    At present the method we're advising is to disable SSL 3.0 support by adding to the pre-main include file:
    echo "SSLProtocol ALL -SSLv2 -SSLv3" >> /usr/local/apache/conf/includes/pre_main_2.conf
    (then restart Apache).

    This does have the disadvantage of disabling SSL support entirely for some very old browsers (IE6 is the main one).
    You can test for this issue by running the following:
    openssl s_client -connect yourdomain.com:443 -ssl3
    If the site is vulnerable you’ll get the normal SSL handshake and certificate info with no errors.
    If the site is not vulnerable you’ll get a handshake failure error similar to the below:
    CONNECTED(00000003)
    28053:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40
    28053:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:



    The attack is, we're told, easy to perform, and can be done on-the-fly using JavaScript – provided you can intercept the victim's packets, perhaps by setting up a malicious Wi-Fi point in a cafe or bar.
    SSL is supposed to encrypt your communications, such as your connection to your bank's website, so eavesdroppers can't steal or tamper with your sensitive information while it's in transit.
    Google revealed details of the design flaw on Tuesday, and dubbed it POODLE – short for Padding Oracle On Downgraded Legacy Encryption. It is a blunder within the blueprints of SSL 3.0 rather than a software bug, so it affects any product following the protocol – from Google Chrome and Mozilla Firefox to Microsoft Internet Explorer.
    Google security bod Bodo Möller explains that snoopers can trigger network faults to push web browsers into using SSL 3.0, an 18-year-old protocol that should have been binned long ago. Ideally, the browser should be using the superior encryption protocol TLS, which does not suffer from the POODLE shortcoming.
    Last edited by Jobinson; 15th October 2014, 03:52 PM.

  • #2
    Dear All Good day!

    For now we can go on with the following FIX on linux servers:

    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EE CDH+
    SSLHonorCipherOrder on


    The above shown lines can be added in '/usr/local/apache/conf/includes/pre_main_global.conf' and a restart needed to apache service.

    We are expecting an updated version of OpenSSL to be released tomorrow that includes TLS_FALLBACK_SCSV which will prevent the protocol downgrade except on legacy systems which are not compatible with the highest version available on the server.
    Once this becomes available (OpenSSL have released it but Redhat must patch their package which will then be passed on through CentOS and finally CloudLinux) we will upgrade all servers to use the patched version.

    Comment


    • #3
      Hey,

      As you know the fix that we've applied in Linux servers to get rid of from the POODLE attack is disabling SSL v3, but that may cause some issues with PayPal while we perform checkout, the error message look like;

      =====
      You may receive an error during checkout, like: "An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance. () - (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number"
      =====

      the fix suggested by ZenCart forum is http://www.zen-cart.com/showthread.p...d-payment-secu

      Comment


      • #4
        Hello,

        To secure the server that is using Litespeed, we may need to upgrade the Litespeed version to 4.2.18. It is better to upgrade the LiteSpeed version to "4.2.18" as this will cover the fix for POODLE & SSLv3 vulnerability, please see https://twitter.com/lswsrelease/stat...03357462614016

        Update now: /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.18

        Comment


        • #5
          ohh.. that is a great info, but how can I check whether my server (with litespeed) is still under the threat of poodle?

          Comment

          Tag Cloud Tag Cloud Module
          Collapse
          Working...
          X