Earlier this month security researchers identified yet another flaw, which they called POODLE (and officially known as CVE-2014-3566), in an old secure connection protocol called SSL (Secure Socket Layer). Vision Critical has examined the issue, and this blog post details our considered response and action plans.
We’ll be making changes to block this attack on November 12, which means that very old and unsupported browsers will not be able to access VC Insight Communities any more. All supported web browsers will be unaffected. If you still use an unsupported browser, we recommend upgrading not only to continue to access our insight communities, but also to better protect yourself from criminals on the internet.
To understand how POODLE might affect you, it helps to understand the history of secure connections. Most web users know SSL as the technology that puts the lock icon in your browser address bar. The latest version of the SSL protocol, version 3, is almost 20 years old and was replaced by successor protocols (called Transport Layer Security or TLS) in 1999. TLS offers better security and functionality and is not vulnerable to POODLE; however, many web browsers and web servers still supported the old technology for backwards compatibility. In the intervening years, many web services stopped supporting SSL due to multiple updates to the newer TLS protocol as well as many new web browsers and web servers. The only web browsers that need SSL are old and unsupported browsers, chief among them Internet Explorer 6 that runs on Windows XP – both products no longer supported by Microsoft and no longer receiving security updates to protect them from viruses and hackers.
Criminals can use POODLE to expose secrets inside of the SSL connection but only at the rate of one byte (a single character or number) per 256 attempts. Getting any useful information, like a browser cookie, out takes lots of connections (we estimate 4,000 attempts on the low end up to 80,000 attempts on the high end), which will show up as a noticeable anomaly on our monitoring systems.
POODLE does not result in passwords or encryption keys being exposed. This security flaw works best at stealing browser cookies. While it’s technically possible to extract a password or an encryption key, doing so requires many silly things to happen before that is even possible. We can safely ignore it as a risk; Vision Critical’s software certainly doesn’t behave in that way.
POODLE requires that you control a part of the network between your victim and the website that runs SSL, which makes the scope of victims very small. A criminal would have to take over part of the network, typically the router (such as the one you get from your cable company) or the firewall managed by your IT department. Once the criminal had control, he or she could only target the websites the victims actually used; this means that the hacker would be operating opportunistically in using the POODLE attack and not able to pre-emptively target a specific website. Websites like Google and Facebook are much more likely targets in this scenario.
This type of attack requires complex execution because it involves more than just the victim’s web browser. More importantly, it doesn’t enable pre-selection of the website the attacker wants to target, with the exception of some very large and popular sites.
Upon learning about POODLE, our operations and security teams evaluated our exposure and concluded that because of all of the above issues, we do not need to not rush to fix this issue like we did with Shellshock and Heartbleed. The decision was driven by two reasons: the risk associated with POODLE and the impact of the fix on our customers and their community members. We have wanted to turn SSL off for a while since it’s an old protocol; POODLE just means we move that timing up.
We determined that POODLE was not a high risk issue. We evaluated the severity of POODLE and the likelihood of a successful attack causing a meaningful impact on our communities. The severity rating of POODLE was set by an industry body as medium, not high. The likelihood of a successful attack is low because of the factors I outlined above. A few community members could be affected, but POODLE would have been unlikely to affect our community administrators since they’re more than likely operating on secure networks. Frankly we think criminals on the internet have better, both easier and more reliable, options for taking advantage of their victims.
Finally, we considered the impact to our customers and community members. The industry average for SSL connections sits at around 0.65%. The traffic we see visiting our communities aligns with those averages. Turning off SSL immediately would mean that some community members would no longer be able to participate in our customer’s communities. Giving our customers some notice on this change would be useful to help them understand that this might mean to their communities, which we expect is little to no impact at all.
Vision Critical plans to shut off SSLv3 support on November 12th, 2014; any users still on old and unsupported browsers should upgrade as soon as possible. If you would like to discuss our approach or the upcoming change, please contact your customer success manager or the Vision Critical Technical Support team.