SlideShare a Scribd company logo
1 of 10
SSLv3 and POODLE 
Background and testing methodology 
Based on an internal presentation 
Jerome Smith, 30/10/14
What’s the problem? 
• SSLv3 authenticates before it encrypts 
– So you have to decrypt before you can check for tampering 
• https://www.imperialviolet.org/2014/10/14/poodle.html 
GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7 
• Padding bytes can be anything (“non-deterministic”) 
– Not covered by the MAC 
– Last byte is number of padding bytes 
• Padding Oracle On Downgraded Legacy Encryption 
– Oracle – a database black box that leaks information 
– Padding Oracle – an oracle that tells you whether or not the 
padding of a decrypted message is correct
Padding Oracle Decryption 
GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7 
• Ci8 decrypts to INTi8 (Ci8 is 8th byte of cookie block, ordinal i of n, moved to last block Cn) 
• When INTi8 XOR Cn-18 = 7 the record will be accepted (attacker knows this and can 
manipulate Cn-18) 
• So INTi8 = 7 XOR Cn-18 
• And Pi8 = INTi8 XOR Ci-18 
Wikipedia 
(pretend block size is 8!)
Padding Oracle Decryption 
GET /a HTTP/1.1rnCookie: abcdefghrnrnxxxMAC-DATA-------7 
• Lengthen URL, shorten end → attack next byte
Protocol Fallback 
• Padding Oracle On Downgraded Legacy 
Encryption 
• Clients and servers don’t often opt for SSLv3 
– But if the client has problems connecting, it will 
try again with a lower protocol version in the 
interests of usability 
– A MITM can cause such problems until the client 
falls back to using SSLv3
Testing 
• All tools check for SSLv3 support 
• Manually 
openssl s_client -ssl3 –connect host:443 
– this just confirms SSLv3 generally, it obviously only 
reports 1 cipher suite 
• If the server prefers RC4-based ciphers then 
unlikely to be exploitable 
– So server preference should be used to qualify risk 
rating
Cipher suite preference 
• Tools can disagree over SSLv3 preference 
• SSLyze 
• SSLscan 
• Who’s right?
Cipher suite preference 
openssl s_client -ssl3 –connect host:443 
openssl s_client -ssl3 -cipher DES-CBC3-SHA:RC4-SHA –connect 
host:443 
openssl s_client -ssl3 -cipher RC4-SHA:DES-CBC3-SHA –connect 
host:443 
• All of them returned: 
• Looks like SSLyze was wrong 
– I posted https://github.com/nabla-c0d3/sslyze/issues/10 
– SSLyze restricts the number of ciphers in the Client Hello “due to 
a bug in a specific brand of load balancers” 
– Unnecessary here as server supported only 3 ciphers
Prevention 
• I know, I’ll prefer RC4 ciphers (er…) 
• Disable SSLv3 
– POODLE isn’t the only reason to disable SSLv3 
– Oh no, I’ve lost my IE6 user base 
• Implement TLS_FALLBACK_SCSV 
– Client signals it is knowingly performing fallback: if server supports a higher 
version, something’s gone wrong 
• Anything that relies on OpenSSL: use 1.0.1j, 1.0.0o, 0.9.8zc 
– But both ends must support it 
• Chrome 33 (Feb 2014) 
• Firefox 35 (Jan 2015); 34 will disable SSLv3 anyway 
• Opera 25 (Oct 2014) 
– Wider protection against downgrade attacks 
• Bespoke client hacks (as was done with BEAST) 
– Anti-POODLE record splitting (Opera 25) but protection is unidirectional 
– Safari: update disables CBC cipher suites when TLS connections fail
Testing for TLS_FALLBACK_SCSV 
• OpenSSL 1.0.1j 
openssl s_client -ssl3 -fallback_scsv -connect host:443 
• If it connects, it’s not implemented 
• If it fails, check the error message for 
“inappropriate fallback” alert

More Related Content

What's hot

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackGeekPwn Keen
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLSSam Bowne
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksSam Bowne
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL
 
Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLDaniël van Eeden
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3 Vedant Jain
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
 

What's hot (20)

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today site
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with nose
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not Linux
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQL
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
Introduction to TLS-1.3
Introduction to TLS-1.3 Introduction to TLS-1.3
Introduction to TLS-1.3
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
 

Viewers also liked

SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
 
Utilisation du SaaS : le cas du CRM
Utilisation du SaaS : le cas du CRMUtilisation du SaaS : le cas du CRM
Utilisation du SaaS : le cas du CRMEASYTEAM
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...Amazon Web Services
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksCamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksJerome Smith
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...Simone Onofri
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Viewers also liked (16)

SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
 
Utilisation du SaaS : le cas du CRM
Utilisation du SaaS : le cas du CRMUtilisation du SaaS : le cas du CRM
Utilisation du SaaS : le cas du CRM
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksCamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacks
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
 
Click Jacking
Click JackingClick Jacking
Click Jacking
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking Attack
 
Click jacking
Click jacking Click jacking
Click jacking
 
Click jacking
Click jackingClick jacking
Click jacking
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar to SSLv3 and POODLE

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageChris Sistrunk
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingAmazon Web Services
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best PracticesAmazon Web Services
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?aragozin
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Severalnines
 
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way HandshakeWireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way Handshakedata68
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 

Similar to SSLv3 and POODLE (20)

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
Deep Dive on Elastic Load Balancing
Deep Dive on Elastic Load BalancingDeep Dive on Elastic Load Balancing
Deep Dive on Elastic Load Balancing
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices(CMP401) Elastic Load Balancing Deep Dive and Best Practices
(CMP401) Elastic Load Balancing Deep Dive and Best Practices
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia -  Running a secure pulsar clusterPulsar Summit Asia -  Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
 
Web security
Web securityWeb security
Web security
 
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way HandshakeWireless Pentest & Capturing a WPA2 Four-Way Handshake
Wireless Pentest & Capturing a WPA2 Four-Way Handshake
 
Jetty TLS troubleshooting
Jetty TLS troubleshootingJetty TLS troubleshooting
Jetty TLS troubleshooting
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Nikto
NiktoNikto
Nikto
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
Rootconf2019
Rootconf2019Rootconf2019
Rootconf2019
 

Recently uploaded

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 

SSLv3 and POODLE

  • 1. SSLv3 and POODLE Background and testing methodology Based on an internal presentation Jerome Smith, 30/10/14
  • 2. What’s the problem? • SSLv3 authenticates before it encrypts – So you have to decrypt before you can check for tampering • https://www.imperialviolet.org/2014/10/14/poodle.html GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7 • Padding bytes can be anything (“non-deterministic”) – Not covered by the MAC – Last byte is number of padding bytes • Padding Oracle On Downgraded Legacy Encryption – Oracle – a database black box that leaks information – Padding Oracle – an oracle that tells you whether or not the padding of a decrypted message is correct
  • 3. Padding Oracle Decryption GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7 • Ci8 decrypts to INTi8 (Ci8 is 8th byte of cookie block, ordinal i of n, moved to last block Cn) • When INTi8 XOR Cn-18 = 7 the record will be accepted (attacker knows this and can manipulate Cn-18) • So INTi8 = 7 XOR Cn-18 • And Pi8 = INTi8 XOR Ci-18 Wikipedia (pretend block size is 8!)
  • 4. Padding Oracle Decryption GET /a HTTP/1.1rnCookie: abcdefghrnrnxxxMAC-DATA-------7 • Lengthen URL, shorten end → attack next byte
  • 5. Protocol Fallback • Padding Oracle On Downgraded Legacy Encryption • Clients and servers don’t often opt for SSLv3 – But if the client has problems connecting, it will try again with a lower protocol version in the interests of usability – A MITM can cause such problems until the client falls back to using SSLv3
  • 6. Testing • All tools check for SSLv3 support • Manually openssl s_client -ssl3 –connect host:443 – this just confirms SSLv3 generally, it obviously only reports 1 cipher suite • If the server prefers RC4-based ciphers then unlikely to be exploitable – So server preference should be used to qualify risk rating
  • 7. Cipher suite preference • Tools can disagree over SSLv3 preference • SSLyze • SSLscan • Who’s right?
  • 8. Cipher suite preference openssl s_client -ssl3 –connect host:443 openssl s_client -ssl3 -cipher DES-CBC3-SHA:RC4-SHA –connect host:443 openssl s_client -ssl3 -cipher RC4-SHA:DES-CBC3-SHA –connect host:443 • All of them returned: • Looks like SSLyze was wrong – I posted https://github.com/nabla-c0d3/sslyze/issues/10 – SSLyze restricts the number of ciphers in the Client Hello “due to a bug in a specific brand of load balancers” – Unnecessary here as server supported only 3 ciphers
  • 9. Prevention • I know, I’ll prefer RC4 ciphers (er…) • Disable SSLv3 – POODLE isn’t the only reason to disable SSLv3 – Oh no, I’ve lost my IE6 user base • Implement TLS_FALLBACK_SCSV – Client signals it is knowingly performing fallback: if server supports a higher version, something’s gone wrong • Anything that relies on OpenSSL: use 1.0.1j, 1.0.0o, 0.9.8zc – But both ends must support it • Chrome 33 (Feb 2014) • Firefox 35 (Jan 2015); 34 will disable SSLv3 anyway • Opera 25 (Oct 2014) – Wider protection against downgrade attacks • Bespoke client hacks (as was done with BEAST) – Anti-POODLE record splitting (Opera 25) but protection is unidirectional – Safari: update disables CBC cipher suites when TLS connections fail
  • 10. Testing for TLS_FALLBACK_SCSV • OpenSSL 1.0.1j openssl s_client -ssl3 -fallback_scsv -connect host:443 • If it connects, it’s not implemented • If it fails, check the error message for “inappropriate fallback” alert

Editor's Notes

  1. Firefox https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ Chrome https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html Opera http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/ Safari https://support.apple.com/kb/HT6531