Everything You Need To Know About POODLE Attack

Google has disclosed information about vulnerabilities in the design of SSL 3.0. This may allow a potential network attacker to calculate the plaintext of secure connections. This cyber-attack is called a “Poodle” (Padding Oracle On Downgraded Legacy Encryption). In the case of a Poodle attack a hacker can force your browser to downgrade to an old version (SSL 3.0), which is not as secure as the present SSL standard. In order for the attack to be successful the encrypted traffic has to pass through a malicious node (i.e. a router or computer) which can cause the server/client to retreat to protocol (SSLv3). In this case hackers could potentially spy on your emails, banking or any kind of data traveling to and from your computer. It’s an ugly piece of malware to say the least.

This issue affects a large segment of the Internet connected servers that can be at risk to the SSLv3 protocol. SSLv3 has been replaced by the more robust TLS, which is more effective than SSLv3 which dates back up to 15 years. Unfortunately due to legacy constraints, most Internet servers can be forced to retreat to SSLv3. The recommended response to this issue is to support TLS_FALLBACK_SCSV. “ITS FALLBACK SCSV solves issues associated with retrying failed connections; as a result this prohibits hackers from prompting browsers to use SSL.30.” This mechanism also inhibits attackers from forcing browsers to use SSL 3.0, through problems associated with retrying failed connections. Furthermore, it also prevents “future attacks by preventing downgrades from TLS 1.2 to 1.1 or 1.0.(Mller, 2014)

If you’re using a system that runs SSL 3.0, it is advised to define a Signaling Cipher Suite Value (SCSV) to prevent unintended protocol downgrades between clients and servers when both parties support a higher version of the protocol.

Below you can find guidelines to the most frequently used webservers.

1. INTERNET INFORMATION SERVICES (IIS):Microsoft Windows NT Server stores protocol information in the HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocols registry key. This key contains subkeys for PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. You can disable any of these protocols by creating a new DWORD value with the “00 00 00 00” value in the server subkey corresponding to the protocol to be disabled. More information about configuring crypto on IIS http://support2.microsoft.com/kb/187498

2. APACHE HTTPD SERVER:Configure the https connectors to have the sslProtocol attribute set to “TLS” in the configuration file:
< Connector protocol=”HTTP/1.1″ SSLEnabled=”true”
port=”8443″ address=”${jboss.bind.address}”
scheme=”https” secure=”true” clientAuth=”false”
keystoreFile=”${jboss.server.home.dir}/conf/keystore.jks”
keystorePass=”rmi+ssl” sslProtocol = “TLS” />

3. TOMCAT:The SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml:< Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol”
maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”/>

4. TOMCAT APR:Similar to Tomcat, the protocol to be used is defined in the $TOMCAT_HOME/conf/server.xml file:< Connector port=”443″ maxHttpHeaderSize=”8192″
maxThreads=”150″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
SSLEnabled=”true”
SSLProtocol=”TLSv1″
SSLCertificateFile=”${catalina.base}/conf/localhost.crt”
SSLCertificateKeyFile=”${catalina.base}/conf/localhost.key” />

5. NGINX SERVER:Include the following line in the Nginx configuration file: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Restart the service with sudo service nginx restart (if running Linux).

6. POSTFIX SMTP:Add or change the smtpd_tls_mandatory_protocols directive like this:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Restart Postfix with sudo postfix restart for the changes to take effect.

7. HAPROXY SERVER: Edit the /etc/haproxy.cfg file and find your bind line. Append no-sslv3 directive like in the example below:
bind :443 ssl crt ciphers no-sslv3
More info on configuring webservers under Linux is available here.