Last week saw the public disclosure of the POODLE vulnerability, a practical attack allowing a network attacker to steal plaintext from HTTPS connections. In particular, this attack can be used to steal authentication cookies. It’s a bad vulnerability, and it particularly hurts because it should have been fixed long ago. It only affects the ancient SSL v3 protocol, which was marked deprecated 15 years ago with the introduction of TLS v1.0.
Support for SSL should have been disabled long ago, but as has been pointed out, browser vendors delayed because they didn’t want users to lose access to outdated servers. Unfortunately, even now that we know of the POODLE bug making SSLv3 highly insecure against a competent network attacker, Firefox is the only major browser which has announced definitive plans to kill SSLv3 for good.
Compare the responses of four major browser vendors:
- Mozilla is completely disabling SSLv3 by the end of November in Firefox.
- Google, whose engineers discovered the bug, said “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.” Yet there is no definitive date because of “significant compatibility problems.” Google is rolling out some targeted patches instead-including support for the TLS_FALLBACK_SCSV extension to prevent downgrade to SSLv3, which is already deployed to Google servers.
- Microsoft downplayed the bug by saying it is “not considered high risk to customers.” They have not announced any definitive plans, but may issue patches in the future.
- Apple quietly released a patch which disables the vulnerable CBC cipher suites in Safari without disabling SSLv3 completely.
Without saying that Mozilla’s approach is correct, we can point out a simple and sad fact: by being the most aggressive about protecting their user’s security, Mozilla will probably lose market share, at least in the short run.
Consider a Firefox user next month trying to browse to an outdated server which only supports SSL. Citibank.com is the most prominent example. Firefox users will see a failure message next month trying to go to Citibank. A non-zero portion of them will switch to another browser and many of those simply won’t return. By contrast, only a tiny number of users are likely to switch to Firefox because it’s the most proactive on this issue. Only a handful of users know and care about this problem and they can manually turn SSLv3 off in the browser of their choice.
This demonstrates the fundamental market failure in browser security. Often browser vendors would like to increase security at the expense of a tiny number of outmoded web sites, but they know this will likely cost them users. It’s not hard to read between the lines of Google’s post and hear “We really want to kill SSLv3 for good, but our hands are tied because of some really irresponsible web sites out there.” I don’t mean to fault Google at all. They have world-class security engineers working on Chrome who have improved the state of HTTPS dramatically. I just wish they didn’t have to spend so much time dealing with a small number of crufty old servers. Microsoft more directly warned users that “if you turn of SSLv3, you’ll lose access to some sites so don’t come crying to us.”
There’s a similar failure on the server side, as servers which disable SSLv3 will cut off users with ancient browsers (in particular, the zombie Internet Explorer 6). That isn’t so bad in this particular case: CloudFlare, one of the larger content delivery networks, has disabled SSLv3 for all clients and reported that less than 1% of its traffic would be affected and much of that was crawlers and various attacks anyways. For other security upgrades though, support for old browsers can be just as big of a headache.
In the server case, it may be hopeless to expect thousands of entities to co-ordinate updates. But in the browser case, there really only a handful of major vendors and it’s past time to see better cooperation. They should have agreed on a date 5-10 years ago that they would all turn off SSLv3 at once, just like they should have been able to agree to kick out more Certificate Authorities which were hacked. I strongly suspect Google would ship code today to kill SSLv3 if they had a firm commitment from their competitors to do so as well. It’s a shame to see browsers feeling compelled to hold back on security for fear of losing customers to a less-secure competitor.
Leave a Reply