Saturday, October 18, 2014

Taking POODLE to the Pound

You may have heard of POODLE (Padding Oracle On Downgraded Legacy Encryption), which exploits a bug in the ancient SSL 3.0 Encryption Protocol. This has the capability of letting malicious sites take over your browser.

The fix is to turn off SSL 3.0, forcing your browser to use better encryption. This will break some sites, but that's their problem, not yours, and they are probably working on it right now.

For most browsers the fix is not too difficult. You change some configuration setting and you're done. There's even a Firefox Extension to change the settings for you.

For Google Chrome and its open source brother Chromium, it's a little more difficult. You have to tell the browser to disable SSL 3.0 every time you launch it, e.g.

$ chromium --ssl-version-min=tls1

the --ssl-version-min=tls1 being the string that does the trick.

Let's see. I launch chromium at startup, from the Mint panel icon, and sometimes from the command line. That means three places I have to fix the call to chromium, and I have to do it for every user on the machine. There's got to be a better way.

And there is, at least when using chromium on LMDE. There is a configuration file, /etc/chromium/default, which lets you set global options for the chromium browser. To apply the fix, run the command:

$ sudo vi /etc/chromium/default

and edit the CHROMIUM_FLAGS variable. This passes a set of commands to chromium every time anyone starts the browser: look at /usr/bin/chromium to see how it works. My current variable reads

CHROMIUM_FLAGS="--password-store=detect --ssl-version-min=tls1"

Now every time chromium is started on your machine, it applies the fix.

You can test your work at https://www.poodletest.com/.

I don't know how many platforms can use this trick. On CentOS there is an analogous way to do it, but a different procedure. If you have a different way to disable SSL 3.0 for chrome/chromium on your Linux box, leave a comment below.