What is poodle stand for sslv3 hack?Padding Oracle On Downgraded Legacy Encryption
Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it’s used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.
Google exposes ‘Poodle’ flaw in Web encryption standard …
POODLE Vulnerability: Frequently Asked Questions.
Who does Poodle Affect?
What should I tell my customers if they ask about POODLE?
You can instruct any concerned customers to visit https://zmap.io/sslv3/ to confirm if their browser supports SSLv3. It includes instructions on how to disable SSLv3 for all modern browsers.
What to do if i Use Internet Explorer 6?
If you are using a version of Internet Explorer older than 7.0, please visit http://www.microsoft.com/en-us/download/internet-explorer.aspx to upgrade.
Firefox, Safari and Chrome users should not be affected.
Important announcement about POODLE and payment security.
In general I see 3 area where fix needed
1) Server – big or not so big computer called server, where your personal or business website is hosted.
2) Web site, online shopping cart, CMS’s script
3) End user computer’s “user agent” which Browsers.
Ex: Chrome, Firefox, Internet Explorer, Opera, Safari and whatever else you may use.
Most of them need to be fixed manually or you need to wait for provider’s update. While waiting for update you are at rick of being sending unsecured personal information over SSLv3 – in very simple words
1) Server side.
While on server level cpanel, WHM you suggested use this fix:
2) eCommerce, Shopping Card fixes.
Depend on the online store scripting you need to find line where it say something like this:
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);
and comment it in php code:
//curl_setopt ($ch, CURLOPT_SSLVERSION, 3);
in zen-cart depend on releases it can be in different places
if you have early releases you may also find it here:
between bunch of curl_setopt statmenrts like those:
curl_setopt ($ch, CURLOPT_SSLCERT, $key); curl_setopt ($ch, CURLOPT_CAINFO, $key); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt ($ch, CURLOPT_SSLVERSION, 3); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
Affected files depend on your software releases: /includes/modules/payment/paypal/paypal_curl.php around line 58 /includes/modules/payment/authorizenet_aim.php around line 600 /includes/modules/payment/authorizenet_echeck.php around line 589 /includes/modules/payment/paypaldp.php around line 2342 /includes/modules/payment/linkpoint_api/class.linkpoint_api.php around line 309 (Line numbers may differ depending on what Zen Cart version you're using)
and others depend on activated modules and releases of your shopping cart.
3) What to tell customers about Browsers on end user computer, “user agent”.
If, as stated by many sources, attack works only on traffic sessions using SSLv3 then transaction with payment gateway cush as Verysign, Google checkout, Authorize.net… may go throw in case without errors if 1) server side, and 2) CMS scripting level fixed.
But user may/will see unsecured massage on local computer browsers.
it is better then red Error massage Like this: “An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance. () – (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number“
But still not peasant for user experience on your site.
as for online sellers it will be all over unless end user manually fix or will wait for Browsers to be updated.Source: http://www.wired.com/2014/10/poodle-explained/
How to check your end user’s computer browser to make sure it is not vulnerable?
Open this link in all your browsers and see what it say:
“If you see a poodle below, then your browser supports SSLv3 via block ciphers, and you may be vulnerable. If you see a Springfield Terrier below, your browser doesn’t support SSLv3, or only supports SSLv3 using stream ciphers.”
If vulnerable every single user may need to consider to manually fix it or being unsecured with all your online payment, form submitting proses.
How long to wait to update browser?
FireFox announce it will update by November 24-26 2014, some other browser next year, some did not announse SSLv3 at all, like Apple always does.
Random Notes for more read about Poodle Hack of SSLv3
Please notice underline some phrases which important to think about.
Vulnerability in SSL 3.0 Could Allow Information Disclosure
List of affected Microsoft software: https://technet.microsoft.com/en-us/library/security/3009008.aspx
One of the sugessted solutions form Microwoft is to “FIX” your local computer, which is only up to you and you can do it on your own rick. I will do it after November 4 when some payment gateway processors will stop supporting SSLv3.
If i will have problem i will try this solution:
For Client Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\ClientNote If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.Note If this value is present, double-click the value to edit its current value.
- In the Edit DWORD (32-bit) Value dialog box, type 0 .
- Click OK. Restart the computer.
Note This workaround will disable SSL 3.0 for all client software installed on a system.
Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.
- The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3.
Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails.
An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.Google’s security team has recommended that systems administrators simply turn off support for SSLv3 to avoid the problem. But this will mean that some users trying to connect securely to a web server using SSLv3 will have trouble connecting if they’re using a client that only supports this protocol.
- SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and,in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
“This attack is really against clients—you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no one man-in-the-middling you except the NSA. So as a home user, you don’t need to panic. As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi.”…Source: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
More to come later