How to really screw up TLS
I've noticed a few of my favorite websites failing with some odd error from Firefox.
The Firefox error message is a bit misleading. It actually has nothing to do with the website supporting SSL 3.0 but the advanced info is spot on. The error "ssl_error_no_cypher_overlap" means that the client didn't offer any ciphers that the server also supports. Generally when I see this I assume that the server has been setup poorly and only supports unsafe ciphers. In this case the website only supports the RC4 cipher. I wondered why I was starting to see a reversal of removing RC4 from so many websites recently (especially since RC4 is very weak and is on the way out). Apparently these websites all use the F5 load balancer that had a bad implementation of the TLS 1.0 standard causing a POODLE-like vulnerability.
Stepping back for a moment, back in October the POODLE vulnerability hit the streets and a mass exodus from SSL 3.0 happened around the world. I was happy to see so many people running away from the broken cryptographic protocol and very happy to see the big push to implementing the latest version of TLS, TLS 1.2. So with SSL 3.0 out of the way and the POODLE vulnerability being squelched why are we seeing problems in TLS 1.0 now?
Well, simply put, F5 load balancers don't implement TLS 1.0 correctly. The problem with SSL 3.0 is that the padding format isn't checked. Apparently in the F5 devices it's still a problem in TLS 1.0. And while the company did offer up patches to fix the issue, some really bad advice has been circulating the Internetz telling people to only support RC4, again. Sigh.
When RC4 finally dies a fiery death I'll likely throw a party. I'm sure I won't be the only one...