Secure Sockets Layer (SSL) is a predecessor protocol to TLS – Transport Layer Security. These encryption technologies have been until recently, used concurrently.

A vulnerability using the acronym POODLE (Padding Oracle On Downgraded Legacy Encryption) has recently been discovered, and while there are no currently known active exploits, it is still a cause for concern.

What does the vulnerability expose?

Attackers can use the vulnerability to man-in-the-middle systems, stealing (amongst other things) passwords and institutional data. 

Who will this affect?

The vulnerability will affect everyone. All Internet/web enabled or connected user traffic still using the out dated SSL protocol.

Recommended Course of Action

The only way to fix Poodle is to disable all versions of SSL on the server and client. The important thing to take away from this note is that venders such as Mozilla WILL begin disabling SSL3.0 on November 25, 2014. Other venders are likely to follow suit shortly thereafter. There are NO negotiations or say in the matter.

System Administrators and Self-managed Units

Start evaluating your systems and disabling SSLv2.0 and 3.0, sooner rather than later to figure out which of supported applications may be affected.

Most applications presently utilize TLS, so the transition in terms of end user experience, for most applications should be transparent. It is the older home grown and/or legacy type applications that would need additional attention to see if they are still functional given the switch.

Units are encouraged to work directly with their support staff and/or vendor(s), if support contract exists, for updates and or patches once available.

End Users and Home Users

Make sure your systems are set to automatically pull in and run updates as soon as they are available. Check with your local IT staff or browser vendor's website to see when an update to disable SSL in the browser (client) might be available for install.

For your home or personal machines:

Apple Safari users - Run software update

Firefox users - Update to the most current version. Then:

Open up a browser and type in: about:config

In the search field type: security.tls.version.min

Double click the entry fore security.tls.version.min and manually change the figure to 1

Google Chrome:

For Mac: Chrome will update automatically - no manual configuration necessary.

For Windows:

Right click at your Chrome's desktop icon

Properties

At the end of the target field enter:
" --ssl-version-min=tls1" (with space but without quotes).

Apply

Reboot Chrome completely via the menu or with [ctrl + shift + Q].

Internet Explorer:

Go to Control Panel

Internet Options

Advanced

Scroll toward the bottom of the list and uncheck SSL 2.0 and 3.0

Click Apply and close out.

 

References

How POODLE Happened

Mozilla Blog: The POODLE attack and the End of the SSL3.0

POODLE announcement

Test for web browsers

Article number: 
104952
Last updated: 
May 19, 2016
Category: