Edgewater Consulting blog

Technical How-to: Redirecting SSLv3 Users to a POODLE warning page using Apache2 mod_rewrite

The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability has been making headlines since September 2014. There are a few options for mitigating the risk, but our infrastructure team has found that not all organizations are able and willing to implement them. Disabling SSLv3 entirely can cut users off from secure websites they rely on, and Google’s TLS_FALLBACK_SCSV mechanism requires support from the web browser, and has not been implemented server-side by all distributions, especially on older and unsupported versions. Further, TLS_FALLBACK_SCSV does not address the issue of SSLv3 support itself, rather it prevents devices which support TLS from downgrading connections to SSLv3. It does not help in cases where the browser is Internet Explorer Versions 1 through 6 (although Internet Explorer versions 4 through 6 can be configured to enable TLS.)

A more elegant solution is not to block SSLv3, but to instead warn users that their current browser is vulnerable to known attacks and instruct them on how to upgrade. With Apache2 and mod_rewrite, it is possible to redirect SSLv3 connections to such a warning page and advise users of the issue and how to resolve it. Here are the steps to do so:

  1. Prepare or find an explanation page you wish to redirect insecure SSL sessions to and note the URL.
  2. If you run a reverse proxy, load balancer, or other session layer device between your apache server(s) and the Internet, please be aware that those devices may be vulnerable to POODLE even though they support TLS: http://www.computerworld.com.au/article/561828/poodle-flaw-returns-time-hitting-tls-security-protocol/
    To be sure that your entire chain of TLS implementations is secure, temporarily disable SSLv3 in apache2 and head over to SSL Labs to test your site. If your TLS chain is vulnerable you should receive a grade of “F” with a warning (emphasis ours:) “This server is vulnerable to the POODLE attack against TLS servers.” If you receive this warning, you should contact your vendors and request patches.
  3. Make sure that Apache2’s mod_rewrite has been installed on your system. Apache2 runs on a variety of architectures and operating systems, so installing individual Apache2 modules is beyond the scope of this article.
  4. Make sure that Apache2’s mod_rewrite is enabled. To do this, run the following as root/administrator:
    a2enmod rewrite
  5. Add the following lines, without the line numbers, to your Apache2 HTTPS site configurations, changing http://yourwebsite.com/yourexplanationpage.html to the explanation page you wish to redirect users to:
    2. SSLOptions +StdEnvVars
    3. RewriteEngine On
    4. RewriteCond %{ENV:SSL_PROTOCOL} ^SSLv[2-3]$ [NC]
    5. RewriteRule ^.*$                    http://yourwebsite.com/yourexplanationpage.html
  6. If you have disabled SSLv3 already, undo the configuration disabling it.
  7. Restart Apache2
  8. Now test, test, and then test some more! You can use Firefox and enable/disable SSLv3. To force an SSLv3 connection set both security.tls.version.min & security.tls.version.max to 0. To disable SSLv3 in Firefox set security.tls.version.min to 1 or higher and set security.tls.version.max greater than or equal to security.tls.version.min

Cloud 101: Understand the Plan

cloud plan

Cloud questions

Moving to the Cloud is a good move in most cases HOWEVER – It’s not as easy as most service providers want you to believe. If the analysis isn’t done properly up front it can lead to poor performance, interruptions in business, and, what I am currently seeing, costs getting out of control quickly.

CIO’s and CFO’s are rightly asking:

Why are our IT Budgets significantly higher?

Wasn’t the Cloud supposed to save us money?

The Reality – The Cloud is not for everything and everybody!

You need 2 things from your service provider:

  1. First and most important – Due diligence
    Your service provider should understand your business and make that the priority 1. For example: Recently I have seen two companies, one an engineering firm and the other in the Insurance industry, that have very dynamic IT needs. These needs were clearly not understood and documented in the detail that was needed to ensure a successful cloud endeavor. Both company’s need to spin up and down environments for pre-determined times. So who’s managing this?
  2. Which leads to my second point – Education
    During the discovery phase, service providers need to make sure that whoever manages the cloud provider/vendor is made aware of the pricing model and supported content to manage the environment properly, what to expect and what controls need to be implemented to ensure environments are managed correctly.

The bottom line is: Many providers are on the bandwagon to sell Cloud. A lot of them don’t have preferred hosting partners and focus only on the transitional services. So clients must understand:

  • whether discovery or due diligence services are provided
  • whether that report includes recommendations regarding which applications should move to the Cloud and which should stay on premise
  • what hosting partner or Cloud service is recommended
  • estimated ROI

Cloud strategy is critical to Cloud success, even if clients have to enter these unchartered waters on their own.