Hi guys,
Thanks for the reports. We are currently working on some improvements to make HTTPS scanner handshakes and protocol negotiations more transparent.
So, yes, currently HTTPS scanner does support SSLv3 connections. At the same time I believe we are not vulnerable to classic POODLE attack. Since we (HTTP Scanner) does not downgrade the protocol on retries. The only case when we connect with SSLv3 is when the server explicitly requests such connections in the handshake - which is done, disregarding test cases, only by servers that support SSLv3 as their best protocol.
Normaly we use in the handshake the same protocol version as is requested by the client ( TLS 1.2, 1.1,1), in case the client requests (in the Client hello packet) version SSLv3, we even upgrade it to TLS1.
For the SSLv3 servers we are vulnerable to the POODLE attack, where as with SSLv3 disabled the client wouldn’t be able to access the site at all. We will improve this in the future version so that if the client rejects SSLv3-only connections, we do reject them as well.
So how come the https://poodle.io test succeeds in establishing the SSLv3 connection with us? This is because it does specifically request SSLv3 version in the SERVER HELLO packet.
Let me explain the attack:
The so called POODLE vulnerability allows the attacker to leak one BYTE per connection. If the attacker is able to create many (hundreds) varying connections (e.g. via Java script in a infected web), he/she is able to leak different byte every time and eventually get something usefull - such as session cookie.
For this to happen the attacker needs SSLv3 connections. So the attacker will block the handshake packets and hope the client will retry with lower procotol version. Since we never retry with SSLv3 even when blocked, further connections via HTTPS scanner will again be using at least TLS1.
This lead me to the conclusion, that current implementation of HTTPS scanner is not vulnerable to POODLE attack.
However I must admit we are still lacking a few things in the implementation. We do not send the TLS_FALLBACK_SCSV cipher, so connections can be established with lower version (such as TLS1 instead of TLS1.2) in case retry/blocks happen - but not with SSLv3.
We plan to the this in the next update.
I hope this explains it a bit.
Lukas.