Kevin Decherf, Author at Clever Cloud From Code to Product Mon, 20 Oct 2014 19:31:00 +0000 en-GB hourly 1 https://staging-cc-assetsv6.cellar-c2.services.clever-cloud.com/uploads/2023/03/cropped-cropped-favicon-32x32.png Kevin Decherf, Author at Clever Cloud 32 32 Clever Cloud and the POODLE battle https://stagingv6.cleverapps.io/blog/features/2014/10/20/clever-cloud-and-the-poodle-battle/ Mon, 20 Oct 2014 19:31:00 +0000 https://www2.cleverapps.io/wp/blog/technology/2014/10/20/clever-cloud-and-the-poodle-battle/

TL;DR:
We are disabling the support of SSLv3 in front of our platform the Friday, 24th October. CBC has already been disabled, mitigating the issue.
The secure web is not for Internet Explorer 6 anymore.

Say hello to the POODLE

POODLE is the codename of a new vulnerability disclosed by Google earlier this week. This vulnerability is not related to a specific software but to a whole protocol: SSLv3.

In few words this vulnerability gives the ability to an attacker to force a client downgrading the protocol version and the cipher suite used to talk to a secure server even if it is compatible with the most recent and secure one. After that the attacker will be able to perform a Padding Oracles attack to decipher the communication.

Does Clever Cloud POODLE?

The most efficient way to prevent this attack on the server-side is to remove the support of the SSL version 3. Removing this version will block some users like Internet Explorer 6 -which is not compatible with the newest protocol TLS- and very old devices.

Even if it is a good pretext to end the very long life of Internet Explorer 6, we prefer to check the impact on our customers before applying this update.

We are planning to disable the support of SSLv3 in front of our platform the Friday, 24th October. If you are a SSL customer and want to keep it, let us know by sending an email to our support.

Disabling SSLv3 is not the only way to mitigate this issue. After the downgrade dance, the most vulnerable cipher suite is CBC and… good news, this cipher was disabled widely on our platform earlier this year!

We are also deploying a patch to support a new cipher suite flag which tells to a server to reject any inappropriate fallback from a client.

]]>

TL;DR:
We are disabling the support of SSLv3 in front of our platform the Friday, 24th October. CBC has already been disabled, mitigating the issue.
The secure web is not for Internet Explorer 6 anymore.

Say hello to the POODLE

POODLE is the codename of a new vulnerability disclosed by Google earlier this week. This vulnerability is not related to a specific software but to a whole protocol: SSLv3.

In few words this vulnerability gives the ability to an attacker to force a client downgrading the protocol version and the cipher suite used to talk to a secure server even if it is compatible with the most recent and secure one. After that the attacker will be able to perform a Padding Oracles attack to decipher the communication.

Does Clever Cloud POODLE?

The most efficient way to prevent this attack on the server-side is to remove the support of the SSL version 3. Removing this version will block some users like Internet Explorer 6 -which is not compatible with the newest protocol TLS- and very old devices.

Even if it is a good pretext to end the very long life of Internet Explorer 6, we prefer to check the impact on our customers before applying this update.

We are planning to disable the support of SSLv3 in front of our platform the Friday, 24th October. If you are a SSL customer and want to keep it, let us know by sending an email to our support.

Disabling SSLv3 is not the only way to mitigate this issue. After the downgrade dance, the most vulnerable cipher suite is CBC and… good news, this cipher was disabled widely on our platform earlier this year!

We are also deploying a patch to support a new cipher suite flag which tells to a server to reject any inappropriate fallback from a client.

]]> The PostgreSQL JDBC Driver is now PgBouncer compliant https://stagingv6.cleverapps.io/blog/engineering/2013/05/27/pgjdbc-now-pgbouncer-compliant/ Mon, 27 May 2013 00:00:00 +0000 https://www2.cleverapps.io/wp/blog/technology/2013/05/27/pgjdbc-now-pgbouncer-compliant/ Three years ago a discussion was launched on the Pgbouncer mailing-list [1] about the JDBC Driver which does not disable prepared statements when using ?prepareThreshold=0 in the connection string.

At Clever Cloud, we provide PostgreSQL databases behind PgBouncer to handle pools of connections. And to optimize these pools, we use the transaction pooling mode. This mode will prevent clients from using prepared statements as the session is only used for one transaction.

To be able to use this mode internally we manually applied a patch to the driver. After 8 months of inactivity, the pull-request [2][3] was finally merged into the master branch of the driver.

Now we hope that the next version will be released soon.

References:

[1] http://lists.pgfoundry.org/pipermail/pgbouncer-general/2010-February/000507.html [2] https://github.com/pgjdbc/pgjdbc/pull/9 [3] https://github.com/pgjdbc/pgjdbc/pull/58

]]>