I came home today and noticed over 2200 Poodle attacks on my network - my UTM got pushed an IPS patch automatically to stop Poodle attacks, but what about people without UTM's? Since everyone in the home uses Chrome (fully updated) I am going to assume these were directed at Chrome. See attached screenshot. The one with 2259 attacks is Poodle. CVE-2014-3566 Why hasn't Chrome patched this yet? I noticed Firefox apparently won't be patching it out until the end of November. But clearly based on my UTM's alerts today, this issue is more critical than these browser firms are taking it. Apparently you can command like Poodle (SSL3) out with Chrome; https://productforums.google.com/forum/#!topic/chrome/dpiPu9B1cBI
I second Simplicity. What do you mean by 'patch'? POODLE is a vulnerability in the protocol of SSL3.0(with CBC encryption) and there can't be direct patch. What browser vendor can is at most to minimize the risk of 'downgrade' for TLS protocol, and Google already did it by support of TLS_FALLBACK_SCSV. I think so far POODLE is not widely used in real world, and it will more likely be a kind of FPs. Possibly, your UTM just detected downgrade request from your machine which also can occur in usual https connection, or maybe more complicated FPs... Note POODLE is not remotely exploitable. Attacker have to make your browser to send https request hundreds of times with slightly modified header for each request, it is possible only when he already intruded by e.g. code execution vulnerability. Also attacker have to intervene connection btwn your browser and server, but it is usually done in public wifi. Considering you have quite robust layered protection and in the home network, it's unlikely they are real attack.
I agree. It would be nice if Google offered protocol selection in advanced settings (similar as IE) or through chrome://flags.
Everyone has 'some' method.. IE you change a setting. Chrome you need to add command line modifier to icon. Firefox you can edit a config or addon. It's serious, I am unsure why none of these companies have patched for it?
I'm aware of how encryption works, patch term is used liberally here - meaning release versions defaulting it to OFF with an option to turn it ON. It's a pretty serious issue, and their actions towards it seem slow. Disabling the fallback below TLS solves it fairly quickly, but anyone(the masses) not doing the tweaks is vulnerable for a bit longer than I feel comfortable with.
Could this be linked to your use of Adguard? With malware/phishing turned on, Adguard will send the hostname of sites you visit the first time they are encountered (reset after a timeout expires) to "sb.adtidy.org", typically in the form "https://sb.adtidy.org/safebrowsing-lookup-domain.html?domain=www.google.ca&ip=173.194.43.111" If you check "sb.adtidy.org" with Qualys SSL Labs, you get "This server uses SSL 3, with POODLE mitigated"
Possibly. But enforcing TLS, and dropping off SSL3 fixed it. But 2200 would be a little lite if Adguard was doing it given the traffic at home.
"Google to Disable SSL 3.0 in Chrome 40 to Prevent POODLE Attacks" http://www.securityweek.com/google-disable-ssl-30-chrome-40-prevent-poodle-attacks
Interesting link. My worry is people without UTM's were essentially left wide open to this vulnerability, right? I know ZyXEL and Fortinet patched the vulnerability at the UTM level a couple of weeks ago with IPS signature updates. But Joe Smoe home guy may have had compromises? Considering I've now blocked close to 5,000 Poodle exploits this week so far, it makes me wonder.
Attacker still has to launch MITM attack to exploit this vulnerability, so I don't think regular user should worry too much. Maybe using open Wifi is not very secure but using home network should be relatively safe. I also doubt that you blocked that many exploits. Except if somebody hacked your cable between your home and your ISP. It was probably 5000 SSL3 dropped connections. But that doesn't mean there were any exploits...
My home network routinely comes under attack, state sponsored or otherwise. Even some Quantum injections from what we have found, and have been told. I assume a combination of factors result in fairly aggressive surveillance of myself/my network/systems, to which I DO take very nearly extreme precautions to avoid compromises. Not many folks drop double Layer-7 UTM's on their networks.. Anyway; 1) Past Military, Defense Contractor, etc. 2) Past work with Russian firms. 3) Current IT work with high-value-targets (CEOs, Presidents, some famous folks) 4) Past IT work securing privacy for some well connected folks. Ironically I use Russian gear to maintain network integrity at the front end, and US gear on the backend. I've had engineers from some AV companies, ZyXEL, and others on watching in realtime the pretty intense intrusion activity. Hopefully my stacked UTM's will take care of the worst stuff, and if anything sneaks in it has to deal with more layers, and encrypted personal data. Right now the biggest issue are the quantum injections. My ISP won't fess up to it, and passes the buck, but admits it is happening. For every HTTP call to keyworded pages we get 1-3 Fraudloader packets injected 'fishing' for holes. I suppose since the Russian gear is snagging them I am not too worried, but it's pretty annoying because this is at the backbone or ISP level. No guarantee switching ISP's will fix it. 44 hour UTM statistics on my HOME network; (incoming from WAN only) 16,600 Viruses Intercepted 12,100 Packets Rejected/Dropped 11,300 Intrusions Intercepted