10

I have been reading up on the POODLE vulnerability. From my understanding, and correct me if I am wrong, you need to allow connections to be made via SSLv3 on the server.

The server I am currently running defaults to TLS 1.0 in the browsers I have tested but I am not certain if the connection will downgrade to SSL 3.0 if the client asked for it.

Is there a way in Chrome or any other browser to force the use SSL 3.0. I merely want to test if my site(s) permit connection via SSL 3.0 or not.

Kami
  • 315
  • 2
  • 4
  • 10
  • Possible Dupe of the question https://superuser.com/questions/827377/disabling-ssl-3-on-64bit-chrome-for-windows please check the Stack Exchange network before asking questions to make sure your awnser isn't on it already :) – Lighty Oct 17 '14 at 08:42
  • @Lighty I am not asking how to disable it - I am asking how to force a connection via SSL3 - I have rephrased the question to clarify. – Kami Oct 17 '14 at 08:52
  • Note that just because SSLv3 is used on a connection does not mean it is vulnerable to POODLE. You can also disable CBC ciphering to prevent the attack. – phemmer Oct 17 '14 at 12:58

3 Answers3

6

It doesn't necessarily matter what your server uses by default - most servers and clients are configured to negotiate the highest protocol available. A major aspect of the POODLE attack is that an attacker can cause connection failures in a higher (non-vulnerable) protocol, and downgrade the victim to SSL3. Then they can exploit the vulnerability in SSL 3.

Source: http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

So the client doesn't need to ask for the connection to be downgraded - an attacker with access to network traffic can do this. Any client that supports SSL 3 is potentially vulnerable (if the server does as well and SCSV isn't enabled both ends).

But yes, most of the browsers allow you to disable SSL/TLS versions, and in some cases you could choose to disable newer protocols.

  • In Internet Explorer, you can disable SSL/TLS protocols from Internet Options > Advanced.
  • In FireFox, you can set the security.tls.version.max and security.tls.version.min FireFox preferences to select a specific version.
  • In Google Chrome, you can use the --ssl-version-max and --ssl-version-min command line flags to select a specific protocol verison. The accepted values are: "ssl3", "tls1", "tls1.1", or "tls1.2". How to set command line flags on Chrome.

It should go without saying that you should typically only use such methods to disable old insecure protocols (like SSL 2 and 3 currently).

Community
  • 1
itscooper
  • 2,230
  • 13
  • 15
3

Firefox browser provides the easiest way to do such testing via the advanced settings in about:config

about:config

where security.tls.version can be of the following values

  • 0 - SSLv3 (set max and min value to this)
  • 1 - TLSv1.0
  • 2 - TLSv1.1
  • 3 - TLSv1.2

What you will see when the website does not support SSLv3 is this:

connection error

Please remember to set it back to max 3 and min 1 after use.

Question Overflow
  • 5,220
  • 6
  • 27
  • 48
  • Funny, after setting both to `0`, I still see the connection is established with TLSv1.2... (btw, I had `max` set to `4` by default). – RAM237 Sep 25 '19 at 16:11
0

Any connection made on SSL v3 and using CBC Ciphers is vulnerable to Poodle attack. Browsers (Older browsers and other clients) will negotiate SSL as we write about it.

Although most have disabled SSL by default and only work with TLS.

Note that there is a new Poodle on TLS vulnerability that we will not talk about in this thread.

The only way to disable such a Poodle on SSL attack is to disable SSL completely (v3 and earlier) or if you really need SSL v3 for compatibility with older clients, remove any CBC ciphers from the list of cipher suites that the server will support.

If you want to test whether your site supports SSL, you can use SSLLabs or the Symantec CertChecker to name a few.

Khanna111
  • 133
  • 5