Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)

Started by GeneC, October 16, 2014, 01:23:47 PM

Previous topic - Next topic

GeneC

From the Linux Mint forums...
http://forums.linuxmint.com/viewtopic.php?f=17&t=180418


Quote
 
8 posts • Page 1 of 1
SSL 3.0 vulnerability a.k.a. "POODLE" (CVE-2014-3566)
Postby xenopeek on Wed Oct 15, 2014 3:59 am

News hitting the web today is that there is a vulnerability in SSL protocol version 3.0 (SSLv3), dubbed "POODLE". This post will provide you with a summary of need-to-know information and the Linux Mint team will update this post over time as needed.

UPDATE:
For users of Linux Mint 13 and Linux Mint 17 an update to OpenSSL will be shortly available. Details on Canonical Blog. The update to OpenSSL will make it so that a browser and a website will always use the latest encryption protocol they both support (known as "TLS_FALLBACK_SCSV"). This makes it so an attacker can't trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

There are still websites that don't support TLS. As shared on the Canonical Blog this vulnerability needs action from the entire Internet, both browsers and websites need to be updated to remove support for SSLv3.
What is the vulnerability?
SSLv3 is a protocol for encrypting the connection between your browser and a website you visit so others can't see what data is sent over the connection. The vulnerability in SSLv3 would allow an attacker to break the encryption and see what data is sent over the connection. While SSLv3 is a very old protocol and hardly used today (reportedly used on less than 1% of the secure web connections, and less than 0.1% of all web connections), as it's been superseded by the TLS protocol, an attacker could trick your browser and the website you visit to downgrade from using the modern and secure TLS to using the old and vulnerable SSLv3.

How will the vulnerability be patched?
In short, the vulnerability in SSLv3 itself won't be patched but instead major browsers (like linked below) will drop support for SSLv3 in their next releases. This will effectively remove the vulnerability for users of those browsers. To mitigate attacks till those next releases arrive, a patch to OpenSSL will be done that dramatically reduces the risks from this vulnerability (see update above; browsers and websites that support TLS can then no longer be tricker by an attacker to use the old and vulnerable SSLv3).

Because the next releases of those browser aren't arriving until weeks from now, various websites are already removing support for SSLv3 from their servers. Both the browser and the website need to support SSLv3 for the vulnerability to affect you, so websites removing this support removes the vulnerability for all their users immediately. As browsers are removing SSLv3 support, websites will have to follow anyway or else visitors to those websites won't be able to use an encrypted connection.

What can/should I do now?
For major browsers you can yourself disable the support for SSLv3, ahead of the next releases of those browser. I recommend that you do so. Doing so will effectively remove the vulnerability for your browser immediately.

Firefox: Install Mozilla's SSL Version Control add-on. This will immediately drop support for SSLv3. Restart your browser afterwards to close any currently open SSL connections. With the release of Firefox 34 at end of November, you can remove this add-on again as Firefox 34 will not include SSLv3 support. (Alternatively, you can go to about:config and set the value of security.tls.version.min to 1. You don't need to install the add-on then.)
Chromium: You need to edit the launcher for Chromium to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/chromium-browser.desktop
Google Chrome: You need to edit the launcher for Google Chrome to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/google-chrome.desktop
Programs with embedded browsers, like email clients, may need to have SSLv3 support removed also.

Thunderbird: Click on the application button (icon on the right side of the menu bar) and click on Preferences in the menu that appears. Choose Advanced in the menu bar and on the General tab click on Config Editor. Search for security.tls.version.min and set its value to 1. Restart Thunderbird afterwards to close any currently open SSL connections.
How can I test whether my browser is (still) vulnerable?
You can test whether your browser is vulnerable by visiting https://www.poodletest.com/. Note that browsers may cache this website, so if you have visited it before applying one of the above changes please upon visiting the website again (and seeing the same result as before) press Ctrl+F5 to force the browser to bypass the cache.

Where can I find more information?
You can read Google's announcement for detailed information on the vulnerability and the plans for Google Chrome, or Mozilla's announcement for the plans for Firefox. There are many other websites giving information on this vulnerability. Various websites have already responded to the vulnerability and have disabled SSLv3 on their servers (like CloudFlare and FastMail).

Does this vulnerability only affect Linux?
No, this is a vulnerability in a common Internet protocol—it's not a programming mistake but a mistake in the design of the protocol. It affects users of all operating systems. So if you are also using other operating systems (including mobile), test your browsers there also and if needed take steps to disable SSLv3 support. There may be differences across operating systems; for example Firefox on Windows 7 Enterprise appears to not be vulnerable.

What if I'm running a server?
Perhaps needless to say, but if you are running a server and are using HTTPS (encrypted web connections) you should take steps to disable SSLv3 support on your server. Note that SSH isn't affected.
GeneC

View the most recent posts on the forum