Jump to content

SSL 3.0 Protocol Fallback Issue in Ver. 8


Recommended Posts

Allowing SSL 3.0 connections makes you vulnerable to a POODLE attack: https://www.us-cert.gov/ncas/alerts/TA14-290A

 

I am disabling Eset SSL protocol scanning until Eset fixes this issue which I hope is soon.

 

-EDIT-

 

This issue appears to be not related to Eset SSL protocol scanning after all. After disabling it, I can still connect to the Bank of India web site: https://www.onlinesbi.com/

So there is something definitely "fishy" about this web site in that it has the ability to somehow override IE 11's setting not to allow SSL 3.0 connections. As I showed in the original thread on this subject, this web site is using SSL 3.0 protocol.

Edited by itman
Link to comment
Share on other sites

  • Administrators

I received a warning from a browser that the website supports an insecure protocol or something along that line but in the end TLS 1.2 was used regardless of whether SSL scanning was enabled or not.

Link to comment
Share on other sites

Below is a screen shot from QUALS noting that its simulated IE 11 running on Win 7 connection to the Bank of India is connecting at TLS 1.2. Note that this is a simulated connection and not an actual one.

 

My take on what is going on is an external MITM is occurring for the connection. Its purpose is to do a phony SSL 3.0 to TLS 1.2 upgrade on connection to the browser and the reverse on the connection from the browser to BOI's server. The manipulation is not perfect and my IE 11 browser sees the connection as SSL 3.0.

 

post-6784-0-56353500-1465586685_thumb.png

 

 

 

Link to comment
Share on other sites

Here's what happens when I connect to another URL associated with this State Bank of India. QUALS does verify that this site supports TLS 1.0, 1.1, and 1.2. IE11 won't let me connect to this site due to the insecure cyphers it uses:

 

post-6784-0-28472500-1465588302_thumb.png

 

 

 

 

Link to comment
Share on other sites

Marcos, looks like you are correct about the TLS 1.2 protocol connection status for https://www.onlinesbi.com/

 

For some inexplicable reason, IE11 will on occasion not show the real protocol connection status of a web page upon initial browser display of it. Appears to have something to do with web page caching as best as I can determine. A refresh of the web page will show the actual protocol connection status.

Link to comment
Share on other sites

  • 4 weeks later...

Actually if you look at the SSLLabs scan the site does support SSL 3.0 and TLS 1.0 up to TLS 1.2. That's why a cli8ent can connect to it using a higher protocol version.

Of course the site should not support SSL 3.0, but that must be reported to the site owners.

 

To really test whether ESETs SSL scanning (or any other thing such as browsers or other Man-in-the-middle software) is vulnerable to Poodle (that's how the attack using SSL 3.0 as a fallback is called) you can use this test site: https://www.poodletest.com/

 

As for ESET I've already proposed the option to being able to disable SSL 3 completely a long time ago, but there was no reaction from ESET and until now it is not there (also not in the ESS 10 Beta), which I think is sad as they already have this option for SSL 2, so it would only be logical to also add it for SSL 3.

Edited by rugk
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...