Poodlebleed is a vulnerability in the design of SSL version 3.0. Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows the decryption to plaintext of secure connections. The bug was discovered by Google Security Team researcher Bodo Möller in collaboration with Thai Duong and Krzysztof Kotowicz.
Although SSL 3.0 is almost 15 years old, many servers and web browsers still use it today. When web browsers fail at connecting on a newer SSL version (i.e. TLS 1.0, 1.1, or 1.2), they may fall back to a SSL 3.0 connection. This is where the trouble begins.
Because a network attacker can cause connection failures, including the failure of TLS 1.0/1.1/1.2 connections, they can force the use of SSL 3.0 and then exploit the poodle bug in order to decrypt secure content transmitted between a server and a browser. For nitty-gritty details on what exactly the poodlebleed bug is, please see the pdf announcement under resources.
Clients and Browsers
For the best client-end browser security, it is recommended to completely disable SSL 3.0. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, however, this presents significant compatibility problems for servers running old encryption protocols. Therefore the recommended response is to support TLS_FALLBACK_SCSV. Most major browsers will support TLS_FALLBACK_SCSV in the coming months. Until then, you can protect yourself by disabling SSL 3.0 support in your browser.
In firefox, this can be done by going to about:config and setting security.tls.version.min to 1
This browser test by Qualys, Inc. can provide further details on the TLS and SSL methods supported by your browser. If your browser currently supports SSL 3.0 or SSL 2.0 and does not support TLS_FALLBACK_SCSV, you are vulnerable to the poodle bug and need to upgrade to Google Chrome or disable SSL 2/3 support. Currently, only Google Chrome version 33.0.1750 (February 2014 Build) and newer supports TLS_FALLBACK_SCSV, all other browsers are safest disabling SSL 3.0.
Servers
The below form can be used to test if your server is running with SSL 3.0 enabled. Although disabling SSL 3.0 may cause failed connections to your ssl service for small portion of users running older browsers, this action prevents the large portion of modern browsers from being eavesdropped while attempting to access your services in a secure manner. Here is a great resource on disabling SSL 3.0 on your server running apache or nginx.
Source: poodlebleed.com
Sunday, October 19, 2014