What about POODLE attacks?
If your server still supports SSLv3, then chances are, you're impacting both servers and clients, so it's pretty important stuff. Here are some resources and tests for POODLE vulnerabilities:
|
New: Just when you thought it was taken care of by removing SSLv3 in favour of TLS, researchers discover that some TLS implementations leave some major sites open to the POODLE attack.
TLS's padding is a subset of SSLv3's padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn't check the padding bytes but that wouldn't cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections. - Adam Langley
Another quality update courtesy of Qualys Labs:
The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute–no need to downgrade modern clients down to SSL 3 first, TLS 1.2 will do just fine. The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack.- Ivan Ristic
Update: Are Trusted Canadian Websites Vulnerable to POODLE?
In "Poodle Bug Returns, Bites Big Bank Sites" Brian Krebs reports that some US banks are vulnerable to POODLE attack, at least as determined using the online scanning tool provided by Qualys. We did the same for the major Canadian banks and found that they all got a B and are not vulnerable to POODLE attacks, which is a far cry from the Fs earned by some of their U.S. counterparts. Hooray for relative security! Click the links to see all the reports.
Improved since Dec 13, 2014
|
Privacy Commissioner of Canada (Complaint Registration Previous score: F)
Telus Customer Portal (Previous score: F) Service Canada Job Bank (Previous score: C) EHealth Ontario Portal (Previous score: C) |
You'll never guess who got an F!
ServiceOntario Drivers License Renewal (Last check: Jan 21) Equifax Canada Credit & Identity Monitoring (Last check: Jan 21) |
The highest mark we've seen so far goes to:
Sony Canada Online Store Industry Canada (Business Registrations & Incorporation Services - Up from F on Dec 13, 2014) Canada Revenue Agency (Up from C on Dec 13, 2014) Got a question, suggestion or correction? For site updates or comments email Soundbites@SecurityandPrivacy.ca or tweet / follow @datarisk |
POODLE on Power Systems
A number of parties have mentioned that midrange systems and the IBM i platform in particular are largely invulnerable to POODLEs. This is not entirely true, as IBM has released a number of advisories to raise awareness of the risk to various products and services:
- IBM Domino impact and Interim fixes
- WebSphere Application Server
- CICS Explorer and Transaction Gateway
- Lotus Notes Traveler
Dec 9 Update:
IBM i shops that continue to use SSLv3 to encrypt their communications are susceptible to the POODLE security vulnerability and could have their data compromised, IBM warned today in a security bulletin. IBM also issued new security patches that disable SSLv3 in IBM i's Java runtime. While IBM recommends moving to the newer TLS protocol, many IBM i applications still require SSLv3 and will likely break when it's disabled, IBM warns. - Alex Woodie