On 14th October 2014, Google's Security team announced a security vulnerability in the SSL protocol affecting SSL version 3.0 (CVE-2014-3566). This is now commonly being referred to as the “POODLE” bug.
What can it affect?
For an attacker to be able to make use of “POODLE”, all of the following things must be true:
- The attacker must be able perform a Man-in-the-Middle attack. This means that the attacker must have control of at least one piece of networking equipment which is in between your web browser and the Citizen Space server that you are using. The difficulty of doing this varies depending on where you are. For example, it is extremely easy to perform a Man-in-the-Middle attack against somebody using coffee-shop wifi, whereas performing a Man-in-the-Middle attack against somebody browsing from an office with a professional IT department is typically very difficult.
- The web server that you are talking to allows SSL version 3.0 connections. Most web servers on the internet, including Delib's, currently allow SSL version 3.0 connections.
- For a practical attack against Citizen Space specifically, your web browser must have secret information stored in a cookie, such as an administrator's login cookie, or a survey respondent's consultation_id cookie.
Additionally, if both the web server and your web browser support the “TLS_FALLBACK_SCSV” feature then the “POODLE” attack will be thwarted. Currently, only recent versions of Google Chrome have support for TLS_FALLBACK_SCSV, but we anticipate that support for “TLS_FALLBACK_SCSV” added to other browsers in the near future. Delib's web servers do not currently support “TLS_FALLBACK_SCSV”, but we are in the process of adding support as soon as possible.
What can an attacker do?
An attacker with some knowledge about Citizen Space and the ability to perform a “POODLE” attack, as outlined above, could use this to slowly steal information from a user who is using Citizen Space. Our current estimate is that it would take approximately an hour to steal one login or consultation_id cookie.
What can be done about it?
There are two paths to preventing “POODLE” attacks:
- Enabling TLS_FALLBACK_SCSV.
- Disabling SSL version 3.0.
- Delib are currently upgrading all of our servers to support “TLS_FALLBACK_SCSV”. We expect no disruption from this upgrade.
- Use web browsers and web servers that support “TLS_FALLBACK_SCSV”.
- Administrators may wish to switch to current versions of Google Chrome, which supports “TLS_FALLBACK_SCSV” at the moment.
- We expect that support for “TLS_FALLBACK_SCSV” will be added to other web browsers in the near future.
Disabling SSL version 3.0:
SSL version 3.0 is not the newest existing version of the SSL protocol. Newer versions exist, confusingly called TLS 1.0, TLS 1.1 and TLS 1.2. None of the newer TLS versions are vulnerable to the “POODLE” attack. For any server which is only used by clients that support TLS 1.0 or newer, it is possible to simply switch off support for SSL version 3.0.
Internet Explorer 6.0 is the only web browser in widespread use which does not support the newer, safe versions of SSL. We can deactivate SSL version 3.0 for any Citizen Space instance where it is not expected that administrators or visiting members of the public will be using Internet Explorer 6.
Delib will be removing SSL version 3.0 support from Citizen Space servers which receive less than 0.1% of their visits from users of Internet Explorer 6. Delib will be arranging with customers whose Citizen Space instances receive less than 1% of their traffic from users of Internet Explorer 6 to disable support for SSL version 3.0 as soon as is feasible. A very small number of Citizen Space customers currently receive more than 1% of their traffic from users of Internet Explorer 6, and these systems will be dealt with separately on a case by case basis.