Background on - and testing for - POODLE (the SSLv3 vulnerability). Obviously some details/context missing but the testing side is expanded at http://www.exploresecurity.com/thoughts-on-testing-for-poodle/

1. SSLv3 and POODLE
Background and testing methodology
Based on an internal presentation
Jerome Smith, 30/10/14

2. What’s the problem?
• SSLv3 authenticates before it encrypts
– So you have to decrypt before you can check for tampering
• https://www.imperialviolet.org/2014/10/14/poodle.html
GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7
• Padding bytes can be anything (“non-deterministic”)
– Not covered by the MAC
– Last byte is number of padding bytes
• Padding Oracle On Downgraded Legacy Encryption
– Oracle – a database black box that leaks information
– Padding Oracle – an oracle that tells you whether or not the
padding of a decrypted message is correct

3. Padding Oracle Decryption
GET / HTTP/1.1rnCookie: abcdefghrnrnxxxxMAC-DATA-------7
• Ci8 decrypts to INTi8 (Ci8 is 8th byte of cookie block, ordinal i of n, moved to last block Cn)
• When INTi8 XOR Cn-18 = 7 the record will be accepted (attacker knows this and can
manipulate Cn-18)
• So INTi8 = 7 XOR Cn-18
• And Pi8 = INTi8 XOR Ci-18
Wikipedia
(pretend block size is 8!)

4. Padding Oracle Decryption
GET /a HTTP/1.1rnCookie: abcdefghrnrnxxxMAC-DATA-------7
• Lengthen URL, shorten end → attack next byte

5. Protocol Fallback
• Padding Oracle On Downgraded Legacy
Encryption
• Clients and servers don’t often opt for SSLv3
– But if the client has problems connecting, it will
try again with a lower protocol version in the
interests of usability
– A MITM can cause such problems until the client
falls back to using SSLv3

6. Testing
• All tools check for SSLv3 support
• Manually
openssl s_client -ssl3 –connect host:443
– this just confirms SSLv3 generally, it obviously only
reports 1 cipher suite
• If the server prefers RC4-based ciphers then
unlikely to be exploitable
– So server preference should be used to qualify risk
rating

7. Cipher suite preference
• Tools can disagree over SSLv3 preference
• SSLyze
• SSLscan
• Who’s right?

8. Cipher suite preference
openssl s_client -ssl3 –connect host:443
openssl s_client -ssl3 -cipher DES-CBC3-SHA:RC4-SHA –connect
host:443
openssl s_client -ssl3 -cipher RC4-SHA:DES-CBC3-SHA –connect
host:443
• All of them returned:
• Looks like SSLyze was wrong
– I posted https://github.com/nabla-c0d3/sslyze/issues/10
– SSLyze restricts the number of ciphers in the Client Hello “due to
a bug in a specific brand of load balancers”
– Unnecessary here as server supported only 3 ciphers

9. Prevention
• I know, I’ll prefer RC4 ciphers (er…)
• Disable SSLv3
– POODLE isn’t the only reason to disable SSLv3
– Oh no, I’ve lost my IE6 user base
• Implement TLS_FALLBACK_SCSV
– Client signals it is knowingly performing fallback: if server supports a higher
version, something’s gone wrong
• Anything that relies on OpenSSL: use 1.0.1j, 1.0.0o, 0.9.8zc
– But both ends must support it
• Chrome 33 (Feb 2014)
• Firefox 35 (Jan 2015); 34 will disable SSLv3 anyway
• Opera 25 (Oct 2014)
– Wider protection against downgrade attacks
• Bespoke client hacks (as was done with BEAST)
– Anti-POODLE record splitting (Opera 25) but protection is unidirectional
– Safari: update disables CBC cipher suites when TLS connections fail

10. Testing for TLS_FALLBACK_SCSV
• OpenSSL 1.0.1j
openssl s_client -ssl3 -fallback_scsv -connect host:443
• If it connects, it’s not implemented
• If it fails, check the error message for
“inappropriate fallback” alert