About #Poodle #Hack of #SSLv3 and How to Secure Online Business


Poodle Hack of SSLv3New Security Vulnerability Named POODLE was discovered recently.

 

  • What is poodle stand for sslv3 hack?

    Padding Oracle On Downgraded Legacy Encryption
  • Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it’s used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.
  • Google exposes ‘Poodle’ flaw in Web encryption standard …

 

POODLE Vulnerability: Frequently Asked Questions.

What is the SSLv3 POODLE Vulnerability?
On October 15 Google published details of vulnerability in the design of SSL version 3.0. This vulnerability
allows the plaintext of secure connections to be calculated by a network attacker. The new vulnerability,
named ‘POODLE’, compromises encryption, by forcing a browser or client to use the less secure SSLv3
encryption protocols instead of TLS protocols (eg TLSv1.2). It then carries out a BEAST (Browser Exploit
Against SSL/TLS) attack to obtain information from the encrypted stream.
Is This Really Such a Big Issue?
Yes. Although SSL 3.0 is nearly fifteen years old, support for it remains widespread. Most importantly, nearly all
browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections
with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures,
they can trigger the use of SSL 3.0 and then exploit this issue.

Who does Poodle Affect?
Any merchant using Internet Explorer 6 (IE6) to access secure online payment gateways system pages or any merchant whose site or solution uses SSLv3 to post transactions to Authorize.Net.

What should I tell my customers if they ask about POODLE?

You can instruct any concerned customers to visit https://zmap.io/sslv3/ to confirm if their browser supports SSLv3. It includes instructions on how to disable SSLv3 for all modern browsers.

What to do if i Use Internet Explorer 6?

If you are using a version of Internet Explorer older than 7.0, please visit http://www.microsoft.com/en-us/download/internet-explorer.aspx to upgrade.

Firefox, Safari and Chrome users should not be affected.

Important announcement about POODLE and payment security.

In general I see 3 area where fix needed

1) Server – big or not so big computer called server, where your personal or business website is hosted.

2) Web site, online shopping cart, CMS’s script

3) End user computer’s “user agent” which Browsers.

Ex: Chrome, Firefox, Internet Explorer, Opera, Safari and whatever else you may use.
Most of them need to be fixed manually or you need to wait for provider’s update. While waiting for update you are at rick of being sending unsecured personal information over SSLv3 – in very simple words

1) Server side.

While on server level cpanel, WHM you suggested use this fix:
http://www.liquidweb.com/kb/how-to-disable-sslv3-and-protect-your-whmcpanel-server-from-poodle

2)  eCommerce, Shopping Card fixes.

Depend on the online store scripting you need to find line where it say something like this:

curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

and comment it in php code:

//curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

in zen-cart depend on releases it can be in different places

http://www.zen-cart.com/showthread.php?214916-Important-announcement-about-POODLE-and-payment-security

if you have early releases you may also find it here:

modules/payment/linkpoint_api/class.linkpoint_api.php

between bunch of curl_setopt statmenrts like those:

  curl_setopt ($ch, CURLOPT_SSLCERT, $key);
  curl_setopt ($ch, CURLOPT_CAINFO, $key);
  curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, false);
  curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt ($ch, CURLOPT_SSLVERSION, 3);
  curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
Affected files depend on your software releases:
 /includes/modules/payment/paypal/paypal_curl.php around line 58
 /includes/modules/payment/authorizenet_aim.php around line 600
 /includes/modules/payment/authorizenet_echeck.php around line 589
 /includes/modules/payment/paypaldp.php around line 2342
 /includes/modules/payment/linkpoint_api/class.linkpoint_api.php around line 309
 
 (Line numbers may differ depending on what Zen Cart version you're using)

in x-cart

func/func.https_libcurl.php

modules/XPayments_Connector/xpc_func.php

and others depend on activated modules and releases of your shopping cart.

3) What to tell customers about Browsers on end user computer, “user agent”.

If, as stated by many sources, attack works only on traffic sessions using SSLv3 then transaction with payment gateway cush as Verysign, Google checkout, Authorize.net…  may go throw in case without errors if 1) server side, and 2) CMS scripting level fixed.

But user may/will see unsecured massage on local computer browsers.

it is better then red Error massage Like this: “An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance. ()(35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

But still not peasant for user experience on your site.

as for online sellers it will be all over unless end user manually fix or will wait for Browsers to be updated.

Source: http://www.wired.com/2014/10/poodle-explained/
 

How to check your end user’s computer browser to make sure it is not vulnerable?

Open this link in all your browsers and see what it say:

https://www.poodletest.com/

vulnpoodle“If you see a poodle below, then your browser supports SSLv3 via block ciphers, and you may be vulnerable. If you see a Springfield Terrier below, your browser doesn’t support SSLv3, or only supports SSLv3 using stream ciphers.”

If vulnerable every single user may need to consider to manually fix it or being unsecured with all your online payment, form submitting proses.

How long to wait to update browser?

FireFox announce it will update by November 24-26 2014, some other browser next year, some did not announse SSLv3 at all, like Apple always does.

Poddle SSLv3 safesite

Poddle SSLv3 safesite

Random Notes for more read about Poodle Hack of SSLv3

Please notice underline some phrases which important to think about.

  • Vulnerability in SSL 3.0 Could Allow Information Disclosure

    List of affected Microsoft software: https://technet.microsoft.com/en-us/library/security/3009008.aspx

    One of the sugessted solutions form Microwoft is to “FIX” your local computer, which is only up to you and you can do it on your own rick.  I will do it after November 4 when some payment gateway processors will stop supporting SSLv3.
    If i will have problem i will try this solution:

    For Client Software

    You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\ClientNote If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3. On the Edit menu, click Add Value.
    4. In the Data Type list, click DWORD.
    5. In the Value Name box, type Enabled, and then click OK.Note If this value is present, double-click the value to edit its current value.
    6. In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7. Click OK. Restart the computer.

    Note This workaround will disable SSL 3.0 for all client software installed on a system.

    Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.

  • The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3.
    Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails.
    An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.Google’s security team has recommended that systems administrators simply turn off support for SSLv3 to avoid the problem. But this will mean that some users trying to connect securely to a web server using SSLv3 will have trouble connecting if they’re using a client that only supports this protocol.
  • SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and,in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

    “This attack is really against clients—you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no one man-in-the-middling you except the NSA. So as a home user, you don’t need to panic. As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi.”…Source: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

More to come later

Advertisements

One thought on “About #Poodle #Hack of #SSLv3 and How to Secure Online Business

  1. Reblogged this on Social Networking Lab: Search Engine & Social Media Marketing, B2B and Technology News and commented:

    Security Vulnerability Named POODLE was discovered recently.

    What is poodle stand for sslv3 hack?
    Padding Oracle On Downgraded Legacy Encryption
    Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it’s used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.
    Google exposes ‘Poodle’ flaw in Web encryption standard …

    POODLE Vulnerability: Frequently Asked Questions.
    What is the SSLv3 POODLE Vulnerability?
    On October 15 Google published details of vulnerability in the design of SSL version 3.0. This vulnerability
    allows the plaintext of secure connections to be calculated by a network attacker. The new vulnerability,
    named ‘POODLE’, compromises encryption, by forcing a browser or client to use the less secure SSLv3
    encryption protocols instead of TLS protocols (eg TLSv1.2). It then carries out a BEAST (Browser Exploit
    Against SSL/TLS) attack to obtain information from the encrypted stream.
    Is This Really Such a Big Issue?
    Yes. Although SSL 3.0 is nearly fifteen years old, support for it remains widespread. Most importantly, nearly all
    browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections
    with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures,
    they can trigger the use of SSL 3.0 and then exploit this issue.

    Who does Poodle Affect?
    Any merchant using Internet Explorer 6 (IE6) to access secure online payment gateways system pages or any merchant whose site or solution uses SSLv3 to post transactions to Authorize.Net.

    What should I tell my customers if they ask about POODLE?

    You can instruct any concerned customers to visit https://zmap.io/sslv3/ to confirm if their browser supports SSLv3. It includes instructions on how to disable SSLv3 for all modern browsers.

    What to do if i Use Internet Explorer 6?

    If you are using a version of Internet Explorer older than 7.0, please visit http://www.microsoft.com/en-us/download/internet-explorer.aspx to upgrade.

    Firefox, Safari and Chrome users should not be affected.

    Important announcement about POODLE and payment security.
    read more here:nikolaygul.wordpress.com/2014/11/03/poodle-hack-of-sslv3/

    Like

Comments are closed.