Discussion:
Quick question about the poodle fix
dol o
2014-10-17 14:37:40 UTC
Permalink
Dear Devs,

Here is the blogpost of the HTTPS breakdown:
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
From what I understand, the Client hello is the first part of the ssl
handshake that is not encrypted/HMAC’d

According to https://www.openssl.org/~bodo/ssl-poodle.pdf they recommend
that clients (Client Hello) send the value 0x56, 0x00 (TLS_FALLBACK_SCSV)
and the servers should accept the value 0x56, 0x00 (TLS_FALLBACK_SCSV) but
this is stuff is transmitted over plaintext which can potentially be
modified by an attacker. Can the vulnerable SSL connection still occur with
the removal of the TLS_FALLBACK value set from the client. Let me know what
you think when you get a chance.
Salz, Rich
2014-10-17 15:04:43 UTC
Permalink
Here is the blogpost of the HTTPS breakdown: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
From what I understand, the Client hello is the first part of the ssl handshake that is not encrypted/HMAC’d
No. Re-read the "prepare to be encrypted" section again. All handshake messages are covered by a MAC. If an adversary strips out the SCSV then the MAC's will not match.

/r$

--
Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me Twitter: RichSalz
:��I"Ϯ��r�m���� (����Z+�K�+����1���x ��h����[�z�
b�7��P�i ��›��' ��ޢ�
Jakob Bohm
2014-10-17 15:05:14 UTC
Permalink
Post by dol o
Dear Devs,
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
From what I understand, the Client hello is the first part of the ssl
handshake that is not encrypted/HMAC’d
According to https://www.openssl.org/~bodo/ssl-poodle.pdf
<https://www.openssl.org/%7Ebodo/ssl-poodle.pdf>they recommend that
clients (Client Hello) send the value 0x56, 0x00 (TLS_FALLBACK_SCSV)
and the servers should accept the value 0x56, 0x00 (TLS_FALLBACK_SCSV)
but this is stuff is transmitted over plaintext which can potentially
be modified by an attacker. Can the vulnerable SSL connection still
occur with the removal of the TLS_FALLBACK value set from the client.
Let me know what you think when you get a chance.
No, while not encrypted, the Client Hello message will be
signed/hashed later in the handshake, ensuring that the connection
will fail if it is modified, otherwise much worse could be done
(such as removing all the strong ciphers from that same list, thus
causing 40 bit encryption).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 SÞborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dol o
2014-10-17 15:32:28 UTC
Permalink
Thanks for the help guys, I appreciate it. Have a good weekend!
Post by dol o
Dear Devs,
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
From what I understand, the Client hello is the first part of the ssl
handshake that is not encrypted/HMAC’d
According to https://www.openssl.org/~bodo/ssl-poodle.pdf they recommend
that clients (Client Hello) send the value 0x56, 0x00 (TLS_FALLBACK_SCSV)
and the servers should accept the value 0x56, 0x00 (TLS_FALLBACK_SCSV) but
this is stuff is transmitted over plaintext which can potentially be
modified by an attacker. Can the vulnerable SSL connection still occur with
the removal of the TLS_FALLBACK value set from the client. Let me know what
you think when you get a chance.
No, while not encrypted, the Client Hello message will be
signed/hashed later in the handshake, ensuring that the connection
will fail if it is modified, otherwise much worse could be done
(such as removing all the strong ciphers from that same list, thus
causing 40 bit encryption).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 SÞborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Loading...