My Quotes


When U were born , you cried and the world rejoiced
Live U'r life in such a way that when you go
THE WORLD SHOULD CRY






Tuesday, July 23, 2019

How to Prevent POODLE Attacks on AWS ELB And CloudFront

    What is POODLE?
  1. To maintain compatibility with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client;
  2. if this handshake fails, they retry (possibly repeatedly) with earlier protocol versions.
  3. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers.
  4. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.
  5. Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher in CBC mode.
  6. RC4 is well known to have biases, meaning that if the same secret (such as a password or HTTP cookie) is sent over many connections and thus encrypted with many RC4 streams, more and more information about it will leak.
  7. Unlike with the BEAST and Lucky 13 attacks, there is no reasonable workaround.
  8. This leaves us with no secure SSL 3.0 cipher suites at all: to achieve secure encryption, SSL 3.0 must be avoided entirely.
    Disable the SSLv3 Protocol to handle POODLE attacks on Cloud Front
  1. Similarly to Amazon ELB, Amazon AWS has taken care of the issue disabling SSLv3 for the customers who use the default SSL settings.
  2. Nevertheless, customers who are using custom SSL certificates with Amazon Cloud Front should disable the SSLv3 protocol manually by following the steps below in the Amazon CloudFront Management Console:
  3. Select your distribution, then click “Distribution Settings”.
  4. Click the “Edit” button on the “General” tab.
  5. In the “Custom SSL Client Support” section, select the option that says: “Only Clients that Support Server Name Indication (SNI)”.
  6. Click “Yes, Edit” to save these revised settings.
    Disable the SSLV3 Protocol to handle POODLE on Amazon AWS ELB
  1. All the ELBs which are created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.
  2. For the existing ELBs, it’s necessary to manually disable SSLv3 via the AWS Management console:
  3. Select your load balancer (EC2 -> Load Balancers) in the appropriate region
  4. In the Listeners tab, click “Change” in the Cipher column.|
  5. Ensure that the radio button for “Predefined Security Policy” is selected, in the dropdown select the “ELBSecurityPolicy-2014-10” policy.
  6. You can see the Protocol-SSLV3 is unchecked after selecting the policy.
  7. Click “Save” to apply the settings to the listener
  8. Repeat these steps for each listener that is using HTTPS or SSL for each LoadBalancer.

No comments :