Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.


Background on - and testing for - POODLE (the SSLv3 vulnerability). Obviously some details/context missing but the testing side is expanded at

  • Login to see the comments


  1. 1. SSLv3 and POODLE Background and testing methodology Based on an internal presentation Jerome Smith, 30/10/14
  2. 2. What’s the problem? • SSLv3 authenticates before it encrypts – So you have to decrypt before you can check for tampering • GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7 • Padding bytes can be anything (“non-deterministic”) – Not covered by the MAC – Last byte is number of padding bytes • Padding Oracle On Downgraded Legacy Encryption – Oracle – a database black box that leaks information – Padding Oracle – an oracle that tells you whether or not the padding of a decrypted message is correct
  3. 3. Padding Oracle Decryption GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7 • Ci8 decrypts to INTi8 (Ci8 is 8th byte of cookie block, ordinal i of n, moved to last block Cn) • When INTi8 XOR Cn-18 = 7 the record will be accepted (attacker knows this and can manipulate Cn-18) • So INTi8 = 7 XOR Cn-18 • And Pi8 = INTi8 XOR Ci-18 Wikipedia (pretend block size is 8!)
  4. 4. Padding Oracle Decryption GET /a HTTP/1.1rnCookie: abcdefghrnrnxxxMAC-DATA-------7 • Lengthen URL, shorten end → attack next byte
  5. 5. Protocol Fallback • Padding Oracle On Downgraded Legacy Encryption • Clients and servers don’t often opt for SSLv3 – But if the client has problems connecting, it will try again with a lower protocol version in the interests of usability – A MITM can cause such problems until the client falls back to using SSLv3
  6. 6. Testing • All tools check for SSLv3 support • Manually openssl s_client -ssl3 –connect host:443 – this just confirms SSLv3 generally, it obviously only reports 1 cipher suite • If the server prefers RC4-based ciphers then unlikely to be exploitable – So server preference should be used to qualify risk rating
  7. 7. Cipher suite preference • Tools can disagree over SSLv3 preference • SSLyze • SSLscan • Who’s right?
  8. 8. Cipher suite preference openssl s_client -ssl3 –connect host:443 openssl s_client -ssl3 -cipher DES-CBC3-SHA:RC4-SHA –connect host:443 openssl s_client -ssl3 -cipher RC4-SHA:DES-CBC3-SHA –connect host:443 • All of them returned: • Looks like SSLyze was wrong – I posted – SSLyze restricts the number of ciphers in the Client Hello “due to a bug in a specific brand of load balancers” – Unnecessary here as server supported only 3 ciphers
  9. 9. Prevention • I know, I’ll prefer RC4 ciphers (er…) • Disable SSLv3 – POODLE isn’t the only reason to disable SSLv3 – Oh no, I’ve lost my IE6 user base • Implement TLS_FALLBACK_SCSV – Client signals it is knowingly performing fallback: if server supports a higher version, something’s gone wrong • Anything that relies on OpenSSL: use 1.0.1j, 1.0.0o, 0.9.8zc – But both ends must support it • Chrome 33 (Feb 2014) • Firefox 35 (Jan 2015); 34 will disable SSLv3 anyway • Opera 25 (Oct 2014) – Wider protection against downgrade attacks • Bespoke client hacks (as was done with BEAST) – Anti-POODLE record splitting (Opera 25) but protection is unidirectional – Safari: update disables CBC cipher suites when TLS connections fail
  10. 10. Testing for TLS_FALLBACK_SCSV • OpenSSL 1.0.1j openssl s_client -ssl3 -fallback_scsv -connect host:443 • If it connects, it’s not implemented • If it fails, check the error message for “inappropriate fallback” alert