Poodle vulnerability: Lab issue RC viewer with browser fix

On Wednesday October 15th I blogged about the Lab having issued a Grid Status update warning, those who use the viewer’s built-in browser may not be able to access certain websites. The notice was issued by the Lab as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google.

As noted in my original article, the Poodle vulnerability exploits a flaw in the design of the SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers. By using a series of connection failures between a browser and website, an attacker can trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. When this happens, the attacker can use the exploit within SSL 3.0 to grab sensitive data.

How a Poodle attack works (image courtesy of Critical Watch)
How a Poodle attack works (image courtesy of Critical Watch)

There are a couple of caveats to the vulnerability; for the attack to work, the attacker must be on the same wireless network as you or in the path of your communications (as shown above), and your client must be running JavaScript. However, it caused Google to issue an advisory that SSL 3.0 support is disabled or that tools that support TLS_FALLBACK_SCSV (Transport Layer Security Signalling Cipher Suite Value) are used be websites, which prevent the “downgrade dance” attacks. This prompted some websites to remove / disable SSL 3.0 support, which in turn resulted in some websites becoming inaccessible when using the viewer’s internal browser or browser-related services.

At the time the Grid Status update was issued, the Lab indicated they are working to fix the problem within the viewer’s browser capability. This has now been done, and release candidate version of the viewer, referred to as the “Browser Fix” viewer, removes SSL 3.0 usage from the viewer’s internal browser, allowing it to connect to sites which have disabled SSL 3.0 support.

If you do use the official viewer and prefer accessing websites using the internal browser, you may want to download this RC. For those not using the official viewer and who have experienced issues accessing websites through the viewer’s internal web browser, try switching to using an external browser to open web links (set via Preferences), as per the advice on the original Grid Status update from the Lab.

Related Links