Monday, December 8, 2014

The POODLE bites (the POODLE chews it) (plus: Fix those bugs, Frenchie)

Let's begin our discussion with a dramatic sound. Wait, it doesn't play? Did you find the MP3 option yet?

During the continuing Bataan death march rewrite of IonMonkey (done with the assembler and about 60% done with the macroassembler) I discovered a glitch in PPCBC with certain comparison operations that the JIT tests apparently don't cover. I don't believe this has any material effect, but we'll fix it anyway, along with a bug in hyphenation that appears to be another Mozilla goof where they assume every architecture represents boolean variables as bytes (on 32-bit PowerPC the native type is 32-bit word, though the compiler can be configured otherwise). That one may affect Linux too, so we'll push it upstream.

Also, during the 29 timeframe I had planned to reduce browser.sessionstore.max_{windows,tabs}_undo as part of a more aggressive tuning of browser memory usage; I don't know why this never got into the code for 31ESR, but it didn't even though the rest of the garbage collection changes did. My original plan was to set the maximum tab and window undo level to 2 each, but a few of you thought two-tab undo was a bit too low, so the current plan is 4 tab undo and 2 window undo (the default is 10 and 3). This means the browser only keeps four old tabs and two old windows in memory, so old objects get released more often. You can, of course, change the old settings back in about:config, but advise if even these default seem unreasonable to you in the comments.

In other news, the two-month-old POODLE SSL/TLS attack just gets worse and worse. Yeah, you heard me: the POODLE exploit can now affect TLSv1 as well, not just SSLv3. POODLE is a padding oracle attack that takes advantage of a gap in the SSLv3 specification where an attacker can arbitrarily manipulate the unvalidated padding bytes in an SSL record. By causing a user's browser (through JavaScript, typically) to issue multiple carefully crafted SSL requests using a credential or login cookie, a malicious intermediary can slowly (with probability 1/256 for each request revealing one byte of a secret to be decrypted) duplicate that credential or cookie and steal it. Today's attack demonstates the same attack is feasible against as many as 10% of the Internet's servers, even those that implement TLS v1.2 (the current spec) as a minimum, due to a similar glitch where the server software doesn't validate those same padding bytes even though they're supposed to. Affected sites even include some major banks and government agencies!

This sort of activity is likely to push up the timetable for deprecating TLS prior to 1.2 or with non-AEAD ciphers due to the increasing evidence that earlier TLS versions and ciphersuites have multiple potentially exploitable cryptographic weaknesses. Firefox (and of course TenFourFox) has supported TLSv1.2 with a full built-in AEAD ciphersuite since 27, and as of this release (31.3) SSLv3 is disabled as well, so TenFourFox is fully current with modern best encryption practise. The same cannot be said for other browsers on PowerPC OS X which depend on the built-in operating system SSL support (this includes Safari and iCab even if Leopard WebKit is installed); the built-in SSL/TLS support libraries in 10.4 and 10.5 are both vulnerable to BEAST and POODLE-type attacks and do not implement TLSv1.1 or TLSv1.2. In the near future browsers and other applications depending on these libraries will no longer be considered safe for secure data transmission, meaning apps will need to package their own encryption libraries to stay current (which we already do, using Mozilla NSS). That's also bad news for Classilla: although attacks like POODLE are highly impractical against Classilla users, that's mostly a factor of the slower JavaScript and network code and not any strength in its crypto suite. While the improved TLSv1.0 support in 9.3.3 has been mostly glitch-free (one site remains under investigation), TLSv1.1 and TLSv1.2 will require some substantial refactoring, and Classilla has no AEAD ciphers at all.

8 comments:

  1. I found something with an "mp3" in it and when I change it to true the browser crashes! You didn't hear it from me though!

    ReplyDelete
    Replies
    1. media.apple.mp3.enabled is not the setting. We don't support the Apple MP3 decoder.

      Delete
  2. A Zappa reference. Kewl.

    ReplyDelete
  3. Okay, so I guess a hint for the setting is in order :-) Does it exist, or does it have to be created?

    ReplyDelete

Due to an increased frequency of spam, comments are now subject to moderation.