Another week, another new SSL exploit

Late last week, a new SSL bug was discovered by Google Research Labs. Simply put, due to the large number of protocols, clients and servers, most clients will start with the highest supported protocol and downgrade accordingly in order to be compatible to older servers. The weakness happens in SSLv3 which is 18 years old which can allow an attacker with sufficient computing resources to guess the encrypted data. For the more technical reader, here’s a link with more details.

While exploiting this bug is fairly difficult due to the large amount of computing resources needed, once the exploit was known, our team started putting together an action plan within hours. We started off implementing a patched version of OpenSSL on all servers which support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

However we did not stop there. We continue to refine our response and came out with methods to disable SSLv3 on all the main servers on our clients and our own servers. This includes:

  • Apache Web Server
  • WHM / Cpanel Control Panel
  • POP3 / IMAP Mail server
  • Exim SMTP server

This ensures that SSLv3 is no longer available to be exploited even if there’s some still unknown method to exploit it.

While this may break support for older clients, we estimated this to be of very limited impact. The security advantages also fair outweighs the disadvantages. If in doubt, please feel free to contact our support team.

How does Sprintserve network outperforms our competitors?

There are a few main criteria that determines how a network performs.¬†Each transit provider is a highway for data to travel upon. The more transit providers you have, the more highways you have to choose from when considering the best route. How is this advantageous? To put it simply, just like a highway, you may have traffic jams, or some highways may be more direct than others. Similarly, not every provider promises to be the best route. As such, more options gives us more alternative routes to choose from, allowing for a more optimal choice. Our network offers 8 transit providers. The next determinant of how a network performs depends on how this optimal route is chosen. Most networks uses Border Gateway Protocal (BGP) which typically route the traffic best on the shortest route. In the ideal world, this will be the fastest way as well. However the world is seldom ideal. For a highway, you may have a traffic congestion, road closures, and other blockages that resulted in the most direct route being slower. If you monitor the traffic conditions realtime using actual traffic maps, you could use detours that are not congested. That’s what our network does as well. Instead of simply using BGP to choose the shortest route, our network utilized intelligent routing based on Internap’s Flow Control Protocol. For more information, feel free to drop us an email.