The Poodle attack (CVE-2014-3566) raised many questions from our customers, peers, auditors, and prospects. This post addresses some of the most frequently asked questions, and provides an update on how Akamai is handling its operations during this industry-wide event. For a basic background on Poodle, please read Akamai CSO Andy Ellis's overview blog post, or Akamai Security Researcher Daniel Franke's in-depth analysis.
Q: What is Akamai doing to protect customers?
A: Akamai is currently pushing through two major changes to Platform behavior to protect customers:
1. Akamai has accelerated its deprecation of SSL 3 (and earlier versions), with a target of late October-early November for general acceptance of only TLS 1.0 connections. As of Oct. 16, this is already complete for 90% of our Secure Content Delivery Network (SCDN) customers; others have received direct calls to encourage the change before the cutoff.
2. Akamai has deployed support for TLS Signaling Cipher Suite Value (SCSV) on the SCDN; it's in phased deployment to our legacy networks now. If both a client and server support SCSV, there will be less of a payoff for an adversary in the event of a man-in-the-middle attack. Very few browsers have SCSV, so this helps very few people today. However, it's a good investment for mid-2015 incidents.
Q: What about Akamai's own internal and non-production systems?
A: The same message for Akamai's Platform is true for Akamai's internal systems: Akamai is in the process of completing two phases of update to internal systems where we have configuration control. The first phase deprecates SSL 3 (& earlier versions), and is currently underway, and the second phase will push out support for TLS Signaling Cipher Suite Value (SCSV). For some internal systems, we're watching for any vendor patches that might become available.
Q: Can companies detect if someone has attempted to exploit this vulnerability? Has Akamai been attacked?
A: Akamai does not have -- nor do we expect to find -- evidence of a successful attack against Akamai or its customers using these vulnerabilities. Because these vulnerabilities are present during the SSL Handshake, and primarily empower an adversary to break encryption, we will not see evidence of exploitation in our logs. Indicators of mass exploitation may be observable indirectly by looking at the rates of SSL 3 handshakes, but finding individual exploitations would be challenging. We have not seen the high ratio of handshakes to requests that would correlate with massive, national-scale exploitation of this bug.
Q: How does the deprecation of SSL 3 affect Akamai customers?
A: This change would most strongly affect customers whose origins support only SSL 2 or SSL 3. We have identified and notified customers whose origins support only these protocols. Our current advice is:
If your origin supports only SSL 2, you will need to upgrade to a supported protocol. Akamai will no longer allow SSL 2 traffic on its Platform, which will result in traffic not being delivered.
If your origin supports only SSL 3, we strongly recommend you upgrade to TLS 1.0 (or a later version) as soon as possible. If you are unable to upgrade your origin before we change the Platform default to make only TLS 1.0 connections, we can enable SSL 3 on the forward side for a short period of time. Please contact your Akamai customer care representative or open a ticket on the Luna Portal. We don't expect to support SSL 3 for any customers past the end of March 2015.
Modern browsers and other clients support protocols higher than SSL 3, so end-users who use these modern clients should not be affected by Akamai's Platform upgrade. However, end-users that use custom or legacy clients that do not support TLS 1.0 will be affected. At the moment, we are unable to clearly identify all of these clients due to a number of complexities. Overall, the SSL 3 traffic on the Akamai Platform is well under 3%.
We strongly recommended clients get upgraded to TLS 1.0 as soon as possible. However, if you are unable to upgrade your custom clients before the end of October, we can extend Platform support of client-side SSL 3 on specific customer hostnames until your upgrade is complete. Please contact your Akamai customer care representative or open a ticket on the Luna Portal.
A word of caution: If you're using the a248.e.akamai.net hostname, we suggest you discontinue that, use a '.akamaihd.net' -based hostname instead and ensure your devices deprecate the use of sslv3. The a248 name is a legacy of old Akamai products, and makes it difficult for us to support customers' fine-grained needs for secrecy and availability.
Q: For Akamai customers that have legacy SSL 3 clients and/or origins and want to opt out of the enhanced security, how long can they continue to operate in the opt-out mode?
A: We are allowing temporary opt-out only for SSL 3 traffic. Some time ago, we began to limit the availability of SSL 2. Now we are permanently going to deny SSL 2 traffic. We will take a similar action on SSL 3 in the future. As of now, we have not determined the exact dates. We strongly encourage you to migrate away from SSL 3 as soon as possible. To request a temporary exemption, contact Akamai Customer Care or open a ticket on the Luna Portal. Note that Akamai requires an explicit acknowledgement that you have been advised of the security risk, in consultation with your security team.
Q: How will Akamai communicate updates?
A: We will maintain this blog with interesting news from Akamai. As there are new developments, we will do our best to only deliver verified information, sacrificing frequency of updates for accuracy.
For customer-specific information, Akamai customers are also encouraged to check their Luna Portal advisories or contact their account teams directly.
Contributors to this article:
Daniel R. Abraham