Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Dienstag, 14. Oktober 2014

SSL issue again? [UPDATE 2]

Today The register announced that there will be an new thread against SSL soon.
According to the source there are currently only rumours going on and the only information is that it will be a threat to SSL v3.

So maybe its just time to get prepared to whatever will comes the way.

What I have done on my server:
    1. I checked details about my current SSL usage via https://www.ssllabs.com/ssltest/analyze.html?d=<SERVERNAME>
    2. As there has been some minus points within the check I just created a new cert using 2048 bit and SHA 256
    3. I adjusted some settings in my apache config

  • SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
  • SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

    So I disabled SSL currently, forcing only TLS, this uses the same library while only some "handshake" informations changes, maybe this brings some extra time. 

    So lets find out what the night brings.

    [UPDATE 2014/10/15]
    The issue is announced.

    http://www.thedomains.com/2014/10/14/google-discloses-a-vulnerability-in-ssl-3-0/

    http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

    I haven't seen a Proof of Concept yet. But as it seems it is just a fallback issue. So you can force the SSL/TLS Version to a vulnerable (or less secure) version. For example SSLv3 which now has an issue that an attacker can calculate the plaintext of the secure connection.

    So the ideas yesterday (see above) are still right.


    [UPDATE 2014/10/16]
    Just for the record:

    A great overview on all changes you can do to protect yourself:

    https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

    And as an update to my ideas above, you may should set your Ciphersuite to:

    SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:DHE+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

    Than it will support "Forward Secrecy" at least for some browsers